Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.7.5rc1 Release Notes
Author: ISC Support Reference Number: AA-00598 Views: 3262 Created: 2012-01-18 15:47 Last Updated: 2012-01-19 23:16 0 Rating/ Voters
BIND 9.7.5rc1 is the first release candidate of BIND 9.7.5.
This document summarizes changes from BIND 9.7.4 to BIND 9.7.5rc1.  Please see the CHANGES file in the source code release for a complete list of all changes.

The latest versions of BIND 9 software can always be found on our web site at There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.
Product support information is available on for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at
Security Fixes
  • BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]
Feature Changes
  • It is now possible to explicitly disable DLV in named.conf by specifying "dnssec-lookaside no;". This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] 
  • --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103]
Bug Fixes

  • Some query patterns could cause responses not to be returned in cyclic order though "rrset-order cyclic" was set.  [RT #27170/27185]
  • named-compilezone now longer emits "dump zone to <file>" message when writing to stdout.  [RT #27109] 
  • Sets isc_socket_ipv6only() on the IPv6 control channels.  This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally.   [RT #22249]
  • named now reports a syntax error when a TXT record longer than 255 characters is configured.  [RT #26956] 
  • Addresses race conditions in the resolver code that can cause named to abort.   [RT #26889]
  • Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records.  [RT #26913]
  • Prevents  dig -6 +trace from terminating with an error when encountering a root nameserver without an AAAA record. RT #26906]
  • Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately.  [RT #26874] 
  • When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883]
  • Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND[RT #26478]
  • Poor error handling could cause named to hang during shutdown. [RT #26372]
  • named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200]
  • The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment.  This should no longer occur.  [RT #23219]
  • Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the "unreachable" list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960]
  • Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880]
  • Corrects a problem validating root DS responses. [RT #25726]
  • Fixes a problem whereby "rndc dumpdb" could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452]
  • Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541]
  • Fixes a problem with the computation of tags for revoked keys. [RT #26186]
  • 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522]
  • Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380]
  • named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079]
  • corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210]
  • Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990]
  • Corrected a bug which could cause a slave server with "allow-update-forwarding" set to become unresponsive if the master it is trying to reach is off-line or unreachable. [RT #24711]
  • If allow-new-zones was set to yes and ACLs were given names, issuing 'rndc reconfig' could cause named to crash. [RT #22739]
  • Socket errors during during recursion were sometimes not handled correctly which could lead to a named assert when an associated query structure was used after it had already been freed [RT #22208]
  • The logging level for DNSSEC validation failures due to expired or not-yet-valid RRSIGs has been increased to log level "info" to make it easier to diagnose these problems. Examples of the new log messages are given below:

    03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0: A: verify failed due to bad signature
    (keyid=19442): RRSIG has expired

    03-Nov-2011 22:41:31.335 validating @0x12b5d80: A: verify failed due to bad signature
    (keyid=19442): RRSIG validity period has not begun

    [RT #21796]

  • This change can reduce the time when a server is unavailable during "rndc reconfig" for servers with large and complex configurations. This is achieved by completing the parsing of the configuration files in entirety before entering the exclusive phase. (Note that it does not reduce the total time spent in "rndc reconfig", and it has no measurable impact on server initial start-up times.) [RT #21373]
  • Direct queries for type RRSIG or SIG (sometimes used while testing) could be handled incorrectly in the case where there is no answer available. [RT #21050]
  • dnssec-signzone -t now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030]

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu