ISC BIND early availability: 9.11.0a1
each at isc.org
Thu Mar 24 20:16:30 UTC 2016
The following BIND 9 release is now available for download at
- BIND 9.11.0a1
If no problems are reported, this release will be signed and published
at https://www.isc.org/downloads and ftp://ftp.isc.org/isc/bind9.
This is the first alpha release for BIND 9.11. It includes the
following new features:
- Added support for "dnstap", a fast and flexible method of
capturing and logging DNS traffic.
- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
- The new "rndc nta" command can be used to set a Negative
Trust Anchor (NTA), disabling DNSSEC validation for a
specific domain; this can be used when responses from a
domain are known to be failing validation due to administrative
error rather than because of a spoofing attack. Negative
trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
- New "fetchlimit" quotas are now available for the use of
recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
adjusted downward if the server is partially or completely
non-responsive. The algorithm used to adjust the quota can be
configured via the "fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries
that can be sent for names within a single domain. (Note:
Unlike "fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count
queries spilled due to these quotas.
- The experimental "SIT" feature in BIND 9.10 has been renamed
"COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
enabling clients to detect off-path spoofed responses, and
servers to detect spoofed-source queries. Clients that identify
themselves using COOKIE options are not subject to response rate
limiting (RRL) and can receive larger UDP responses.
- SERVFAIL responses can now be cached for a limited time
(defaulting to 1 second, with an upper limit of 30).
This can reduce the frequency of retries when a query is
- The "controls" block in named.conf can now grant read-only
"rndc" access to specified clients or keys. Read-only clients
could, for example, check "rndc status" but could not
reconfigure or shut down the server.
- "rndc" commands can now return arbitrarily large amounts of
text to the caller.
- The zone serial number of a dynamically updatable zone
can now be set via "rndc signing -serial <number> <zonename>".
This allows inline-signing zones to be set to a specific
- "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
- "rndc modzone" reconfigures a single zone, without requiring
the entire server to be reconfigured.
- "rndc showzone" displays the current configuration of a zone.
- "rndc managed-keys" can be used to check the status of RFC 5001
managed trust anchors, or to force trust anchors to be refreshed.
- "max-cache-size" can now be set to a percentage of available
memory. The default is 90%.
- Update forwarding performance has been improved by allowing
a single TCP connection to be shared by multiple updates.
- The EDNS Client Subnet (ECS) option is now supported for
authoritative servers; if a query contains an ECS option
then ACLs containing "geoip" or "ecs" elements can match
against the the address encoded in the option. This can be
used to select a view for a query, so that different answers
can be provided depending on the client network.
- The EDNS EXPIRE option has been implemented on the client
side, allowing a slave server to set the expiration timer
correctly when transferring zone data from another slave
- The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
take "-Psync" and "-Dsync" options to set the publication
and deletion times of CDS and CDNSKEY parent-synchronization
records. Both named and dnssec-signzone can now publish and
remove these records at the scheduled times.
- A new "masterfile-style" zone option controls the formatting
of text zone files: When set to "full", a zone file is dumped
in single-line-per-record format.
- "serial-update-method" can now be set to "date". On update,
the serial number will be set to the current date in YYYYMMDDNN
- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
- "named -L <filename>" causes named to send log messages to
the specified file by default instead of to the system log.
- "dig +ttlunits" prints TTL values with time-unit suffixes:
w, d, h, m, s for weeks, days, hours, minutes, and seconds.
- "dig +unknownformat" prints dig output in RFC 3597 "unknown
record" presentation format.
- "dig +ednsopt" allows dig to set arbitrary EDNS options on
- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
flags on requests.
- "mdig" is an alternate version of dig which sends multiple
pipelined TCP queries to a server. Instead of waiting for a
response after sending a query, it sends all queries
immediately and displays responses in the order received.
- "serial-query-rate" no longer controls NOTIFY messages.
These are separately controlled by "notify-rate" and
- "nsupdate" now performs "check-names" processing by default
on records to be added. This can be disabled with
- The statistics channel now supports DEFLATE compression,
reducing the size of the data sent over the network when
- New counters have been added to the statistics channel
to track the sizes of incoming queries and outgoing responses in
histogram buckets, as specified in RSSAC002.
- A new NXDOMAIN redirect method (option "nxdomain-redirect")
has been added, allowing redirection to a specified DNS
namespace instead of a single redirect zone.
- When starting up, named now ensures that no other named
process is already running.
- Files created by named to store information, including "mkeys"
and "nzf" files, are now named after their corresponding views
unless the view name contains characters incompatible with use
as a filename. Old style filenames (based on the hash of the
view name) will still work.
A detailed list of the changes for each release can be found in
the file CHANGES. Bug reports can be sent to bind9-bugs at isc.org.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers