+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<!--
- - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: RELEASE-NOTES-BIND-9.7.html,v 1.1.2.2 2010/11/29 01:16:57 tbox Exp $ -->
-
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" type="text/css" href="release-notes.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.76.1" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
- <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112133"></a>Introduction</h2></div></div></div>
-
- <p>
- BIND 9.7.2-P3 is a maintenance release for BIND 9.7.
- </p>
- <p>
- This document summarizes changes from BIND 9.7.1 to BIND 9.7.2-P3.
- Please see the CHANGES file in the source code release for a
- complete list of all changes.
- </p>
- </div>
-
- <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112189"></a>Download</h2></div></div></div>
-
- <p>
- The latest release of BIND 9 software can always be found
- on our web site at
- <a class="ulink" href="http://www.isc.org/software/bind" target="_top">http://www.isc.org/software/bind</a>.
- There you will find additional information about each release,
- source code, and some pre-compiled versions for certain operating
- systems.
- </p>
- </div>
-
- <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112124"></a>Support</h2></div></div></div>
-
- <p>Product support information is available on
- <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
- for paid support options. Free support is provided by our user
- community via a mailing list. Information on all public email
- lists is available at
- <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
- </p>
- </div>
-
- <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112266"></a>New Features</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112112"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Zones may be dynamically added and removed with the
- “rndc addzone” and “rndc delzone” commands. These
- dynamically added zones are written to a per-view
- configuration file. Do not rely on the configuration
- file name nor contents as this will change in a future
- release. This is an experimental feature at this time.
- </li><li class="listitem">
- Added new “filter-aaaa-on-v4” access control list to
- select which IPv4 clients have AAAA record filtering
- applied.
- </li><li class="listitem">
- A new command “rndc secroots” was added to dump a combined
- summary of the currently managed keys combined with statically
- configured trust anchors.
- </li><li class="listitem">
- Added support to load new keys into managed zones without
- signing immediately with "rndc loadkeys". Added support
- to link keys with "dnssec-keygen -S" and
- "dnssec-settime -S".
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id36112313"></a>9.7.2-P1</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112322"></a>9.7.2-P2</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112332"></a>9.7.2-P3</h3></div></div></div>
-
- <p>None.</p>
- </div>
- </div>
-
- <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112267"></a>Feature Changes</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112348"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Documentation improvements
- </li><li class="listitem">
- ORCHID prefixes were removed from the automatic empty
- zone list.
- </li><li class="listitem">
- Improved handling of GSSAPI security contexts. Specifically,
- better memory management of cached contexts, limited lifetime
- of a context to 1 hour, and added a “realm” command to
- nsupdate to allow selection of a non-default realm name.
- </li><li class="listitem">
- The contributed tool “zkt” was updated to version 1.0.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id36112373"></a>9.7.2-P1</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112382"></a>9.7.2-P2</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112392"></a>9.7.2-P3</h3></div></div></div>
-
- <p>None.</p>
- </div>
- </div>
-
- <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112402"></a>Security Fixes</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112408"></a>9.7.2</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id36112418"></a>9.7.2-P1</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- If BIND, acting as a DNSSEC validating server, has two or more trust
- anchors configured in named.conf for the same zone (such as
- example.com) and the response for a record in that zone from the
- authoritative server includes a bad signature, the validating server
- will crash while trying to validate that query.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112434"></a>9.7.2-P2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- A flaw where the wrong ACL was applied was fixed. This flaw
- allowed access to a cache via recursion even though the ACL
- disallowed it.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112448"></a>9.7.2-P3</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Adding a NO DATA signed negative response to cache failed to clear
- any matching RRSIG records already in cache. A subsequent lookup
- of the cached NO DATA entry could crash named (INSIST) when the
- unexpected RRSIG was also returned with the NO DATA cache entry.
- [RT #22288] [CVE-2010-3613] [VU#706148]
- </li><li class="listitem">
- BIND, acting as a DNSSEC validator, was determining if the NS RRset
- is insecure based on a value that could mean either that the RRset
- is actually insecure or that there wasn't a matching key for the RRSIG
- in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
- This can happen when in the middle of a DNSKEY algorithm rollover,
- when two different algorithms were used to sign a zone but only the
- new set of keys are in the zone DNSKEY RRset.
- [RT #22309] [CVE-2010-3614] [VU#837744]
- </li><li class="listitem">
- <p>
- When BIND is running as an authoritative server for a zone and
- receives a query for that zone data, it first checks for allow-query
- acls in the zone statement, then in that view, then in global
- options. If none of these exist, it defaults to allowing any query
- (allow-query {"any"};).
- </p>
- <p>
- With this bug, if the allow-query is not set in the zone statement,
- it failed to check in view or global options and fell back to the
- default of allowing any query. This means that queries that the zone
- owner did not wish to allow were incorrectly allowed.
- [RT #22418] [CVE-2010-3615] [VU#510208]
- </p>
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112487"></a>Bug Fixes</h2></div></div></div>
-
- <div class="section" title="9.7.2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112494"></a>9.7.2</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Removed a warning message when running BIND 9 under Windows
- for when a TCP connection was aborted. This is a common
- occurrence and the warning was extraneous.
- </li><li class="listitem">
- Worked around a race condition in the cache database memory
- handling. Without this fix a DNS cache DB or ADB could
- incorrectly stay in an over memory state, effectively refusing
- further caching, which subsequently made a BIND 9 caching
- server unworkable.
- </li><li class="listitem">
- Partially disabled change 2864 because it would cause
- infinite attempts of RRSIG queries.
- </li><li class="listitem">
- BIND did not properly handle non-cacheable negative responses
- from insecure zones. This caused several non-protocol-compliant
- zones to become unresolvable. BIND is now more accepting of
- responses it receives from less strict servers.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P1"><div class="titlepage"><div><div><h3 class="title"><a id="id36112523"></a>9.7.2-P1</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- A bug, introduced in BIND 9.7.2, caused named to fail to start
- if a master zone file was unreadable or missing. This has
- been corrected in 9.7.2-P1.
- </li><li class="listitem">
- BIND previously accepted answers from authoritative servers that did
- not provide a "proper" response, such as not setting AA bit. BIND was
- changed to be more strict in what it accepted but this caused
- operational issues. This new strictness has been backed out in
- 9.7.2-P1.
- </li></ul></div>
- </div>
- <div class="section" title="9.7.2-P2"><div class="titlepage"><div><div><h3 class="title"><a id="id36112543"></a>9.7.2-P2</h3></div></div></div>
-
- <p>None.</p>
- </div>
- <div class="section" title="9.7.2-P3"><div class="titlepage"><div><div><h3 class="title"><a id="id36112553"></a>9.7.2-P3</h3></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- Microsoft changed the behavior of sockets between NT/XP based
- stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
- behavior, 2008r2 has the new behavior. With the change, different
- error results are possible, so ISC adapted BIND to handle the new
- error results.
- This resolves an issue where sockets would shut down on
- Windows servers causing named to stop responding to queries.
- [RT #21906]
- </li><li class="listitem">
- Windows has non-POSIX compliant behavior in its rename() and unlink()
- calls. This caused journal compaction to fail on Windows BIND servers
- with the log error: "dns_journal_compact failed: failure".
- [RT #22434]
- </li></ul></div>
- </div>
- </div>
-
- <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112575"></a>Known issues in this release</h2></div></div></div>
-
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
- <p>
- "make test" will fail on OSX and possibly other operating systems.
- The failure occurs in a new test to check for allow-query ACLs.
- The failure is caused because the source address is not specified on
- the dig commands issued in the test.
- </p>
- <p>
- If running "make test" is part of your usual acceptance process,
- please edit the file <code class="code">bin/tests/system/allow_query/test.sh</code>
- and add
- </p><p>
- <code class="code">-b 10.53.0.2</code>
- </p><p>
- to the <code class="code">DIGOPTS</code> line.
- </p>
- </li></ul></div>
- </div>
-
- <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id36112609"></a>Thank You</h2></div></div></div>
-
- <p>
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to make
- quality open source software, please visit our donations page at
- <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
- </p>
- </div>
-</div></body></html>