ISC BIND early availability: 9.11.0a1

Evan Hunt each at isc.org
Thu Mar 24 20:16:30 UTC 2016


The following BIND 9 release is now available for download at
https://source.isc.org/betas.shtml.

     - BIND 9.11.0a1

If no problems are reported, this release will be signed and published
at https://www.isc.org/downloads and ftp://ftp.isc.org/isc/bind9.

This is the first alpha release for BIND 9.11.  It includes the
following new features:

    - Added support for "dnstap", a fast and flexible method of
      capturing and logging DNS traffic.
    - Added support for "dyndb", a new API for loading zone data
      from an external database, developed by Red Hat for the FreeIPA
      project.
    - The new "rndc nta" command can be used to set a Negative
      Trust Anchor (NTA), disabling DNSSEC validation for a
      specific domain; this can be used when responses from a
      domain are known to be failing validation due to administrative
      error rather than because of a spoofing attack.  Negative
      trust anchors are strictly temporary; by default they expire
      after one hour, but can be configured to last up to one week.
    - New "fetchlimit" quotas are now available for the use of
      recursive resolvers that are are under high query load for
      domains whose authoritative servers are nonresponsive or are
      experiencing a denial of service attack:
      + "fetches-per-server" limits the number of simultaneous queries
	that can be sent to any single authoritative server.  The
	configured value is a starting point; it is automatically
	adjusted downward if the server is partially or completely
	non-responsive. The algorithm used to adjust the quota can be
	configured via the "fetch-quota-params" option.
      + "fetches-per-zone" limits the number of simultaneous queries
	that can be sent for names within a single domain.  (Note:
	Unlike "fetches-per-server", this value is not self-tuning.)
      + New stats counters have been added to count
	queries spilled due to these quotas.
    - The experimental "SIT" feature in BIND 9.10 has been renamed
      "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
      enabling clients to detect off-path spoofed responses, and
      servers to detect spoofed-source queries.  Clients that identify
      themselves using COOKIE options are not subject to response rate
      limiting (RRL) and can receive larger UDP responses.
    - SERVFAIL responses can now be cached for a limited time
      (defaulting to 1 second, with an upper limit of 30).
      This can reduce the frequency of retries when a query is
      persistently failing.
    - The "controls" block in named.conf can now grant read-only
      "rndc" access to specified clients or keys. Read-only clients
      could, for example, check "rndc status" but could not
      reconfigure or shut down the server.
    - "rndc" commands can now return arbitrarily large amounts of
      text to the caller.
    - The zone serial number of a dynamically updatable zone
      can now be set via "rndc signing -serial <number> <zonename>".
      This allows inline-signing zones to be set to a specific
      serial number.
    - "rndc delzone" can now be used on zones that were not originally
      created by "rndc addzone".
    - "rndc modzone" reconfigures a single zone, without requiring
      the entire server to be reconfigured.
    - "rndc showzone" displays the current configuration of a zone.
    - "rndc managed-keys" can be used to check the status of RFC 5001
      managed trust anchors, or to force trust anchors to be refreshed.
    - "max-cache-size" can now be set to a percentage of available
      memory. The default is 90%.
    - Update forwarding performance has been improved by allowing
      a single TCP connection to be shared by multiple updates.
    - The EDNS Client Subnet (ECS) option is now supported for
      authoritative servers; if a query contains an ECS option
      then ACLs containing "geoip" or "ecs" elements can match
      against the the address encoded in the option.  This can be
      used to select a view for a query, so that different answers
      can be provided depending on the client network.
    - The EDNS EXPIRE option has been implemented on the client
      side, allowing a slave server to set the expiration timer
      correctly when transferring zone data from another slave
      server.
    - The key generation and manipulation tools (dnssec-keygen,
      dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
      take "-Psync" and "-Dsync" options to set the publication
      and deletion times of CDS and CDNSKEY parent-synchronization
      records.  Both named and dnssec-signzone can now publish and
      remove these records at the scheduled times.
    - A new "masterfile-style" zone option controls the formatting
      of text zone files:  When set to "full", a zone file is dumped
      in single-line-per-record format.
    - "serial-update-method" can now be set to "date". On update,
      the serial number will be set to the current date in YYYYMMDDNN
      format.
    - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
    - "named -L <filename>" causes named to send log messages to
       the specified file by default instead of to the system log.
    - "dig +ttlunits" prints TTL values with time-unit suffixes:
      w, d, h, m, s for weeks, days, hours, minutes, and seconds.
    - "dig +unknownformat" prints dig output in RFC 3597 "unknown
      record" presentation format.
    - "dig +ednsopt" allows dig to set arbitrary EDNS options on
      requests.
    - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
      flags on requests.
    - "mdig" is an alternate version of dig which sends multiple
      pipelined TCP queries to a server.  Instead of waiting for a
      response after sending a query, it sends all queries
      immediately and displays responses in the order received.
    - "serial-query-rate" no longer controls NOTIFY messages.
      These are separately controlled by "notify-rate" and
      "startup-notify-rate".
    - "nsupdate" now performs "check-names" processing by default
      on records to be added.  This can be disabled with
      "check-names no;".
    - The statistics channel now supports DEFLATE compression,
      reducing the size of the data sent over the network when
      querying statistics.
    - New counters have been added to the statistics channel
      to track the sizes of incoming queries and outgoing responses in
      histogram buckets, as specified in RSSAC002.
    - A new NXDOMAIN redirect method (option "nxdomain-redirect")
      has been added, allowing redirection to a specified DNS
      namespace instead of a single redirect zone.
    - When starting up, named now ensures that no other named
      process is already running.
    - Files created by named to store information, including "mkeys"
      and "nzf" files, are now named after their corresponding views
      unless the view name contains characters incompatible with use
      as a filename. Old style filenames (based on the hash of the
      view name) will still work.

A detailed list of the changes for each release can be found in
the file CHANGES.  Bug reports can be sent to bind9-bugs at isc.org.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.


More information about the bind-workers mailing list