Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.9.2-P1 Release Notes
Author: ISC Support Reference Number: AA-00829 Views: 32145 Created: 2012-11-27 13:44 Last Updated: 2012-12-04 17:53 0 Rating/ Voters


BIND 9.9.2-P1 is a security-fix release, superceding BIND 9.9.2 as the latest production release of BIND 9.9.

This document summarizes changes from BIND 9.9.1 to BIND 9.9.2-P1.  Please see the CHANGES file in the source code release for a complete list of all changes.


The latest versions of BIND 9 software can always be found on our web site at There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.


Product support information is available on for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at

Security Fixes
  • Prevents named from aborting with a require assertion failure on servers with DNS64 enabled.  These crashes might occur as a result of  specific queries that are received.  (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996).  [CVE-2012-5688] [RT #30792]
  • A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090]
  • Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes.  [CVE-2012-4244]  [RT #30416]
  • Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [CVE-2012-3817]  [RT #30025] 
  • A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667]  [RT #29644]
  • ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868]  [RT #29539 & #30233]
New Features
  • Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918]
  • Introduces a new tool "dnssec-checkds" command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.)  [RT #28099]
  • Introduces a new tool "dnssec-verify" that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains.  [RT #23673]
  • Adds configuration option "max-rsa-exponent-size <value>;" that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228]
Feature Changes
  • Improves OpenSSL error logging [RT #29932]
  • nslookup now returns a nonzero exit code when it is unable to get an answer.  [RT #29492]
Bug Fixes
  • Uses binary mode to open raw files on Windows.  [RT #30944]
  • When using DNSSEC inline signing with "rndc signing -nsec3param", a salt value of "-" can now be used to indicate 'no salt'.  [RT #30099]
  • Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients.  [RT #30241] 
  • Static-stub zones now accept "forward" and "fowarders" options (often needed for subdomains of the zone referenced to override global forwarding options).  These options are already available with traditional stub zones and their omission from zones of type "static-stub" was an inadvertent oversight. [RT #30482] 
  • Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner.   With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer.  [RT #26429]
  • Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations.  Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results.  [RT #25181]
  • Improves OpenSSL error logging [RT #29932]
  • The configure script now supports and detects libxml2-2.8.x correctly [RT #30440]
  • The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option.  [RT #18723]
  • Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup.  [RT #27730] 
  • Removes spurious newlines from log messages in zone.c [RT #30675]
  • When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] 
  • All named tasks that perform task-exclusive operations now share the same single task.  Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table.  If the race condition was encountered, named would in most cases terminate unexpectedly with an assert.  [RT #29872]
  • Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed.  Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized.  This is of particular importance to DNSSEC-validating recursive servers that might erroneously set "no-edns" for an authoritative server following a period of intermittent connectivity. [RT #29856]
  • Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries  - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809]
  • dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724]
  • Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases).  [RT #29952]
  • Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100]
  • It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694]
  • Named now holds a zone table reference while performing an asynchronous load of a zone.  This removes a race condition that could cause named to crash when zones are added using rndc addzone or by manually editing named's configuration file followed by rndc reconfig/reload. [RT #28326]
  • Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity.  [RT #29623]
  • Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446]
  • Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured.  Also:
    • adds an optional "recursive-only yes|no" to the response-policy statement
    • adds an optional "max-policy-ttl" to the response-policy statement to limit the false data that "recursive-only no" can introduce into resolvers' caches
    • introduces a predefined encoding of PASSTHRU policy by adding "rpz-passthru" to be used as the target of CNAME policy records (the old encoding is still accepted.)
    • adds a RPZ performance test to bin/tests/system/rpz when queryperf is available.
    [RT #26172]
  • Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451]
Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 2
  • #
    [ zzt]: how to config lwres 2013-02-19 08:56

    We config the lwres statement in the config file,but i am not sure it effects or not.
    I read a lot of materials, but they are not very detailed.
    Which conditions are lightweight resolver protocol general use in ?
    Could you give us some more detailed description and configuration sample?

  • #
    [Cathy Almond]: Re: how to config lwres 2013-10-11 16:15

    lwresd is a lightweight cache-only daemon that has its own configuration file (the code that is compiled is essentially the same binary as named, but operates by different rules). It doesn't do its own iterative resolution - instead it queries the resolvers it finds in /etc/resolv.conf on the system on which it is running.

    libwres is a library of APIs with which applications can query lwresd. The APIs are different to those used by libbind - and the port to which they send queries and that lwresd is listening on (by default) is 921 rather than 53.

    It's also possible to configure named to listen for and respond on port 921 for lwresd-style queries (by using the lwres statement).

    To make use of lwresd, you would need to have clients that are specifically built to use liblwres. There is no need to run lwresd or to configure named to respond to lightweight resolver queries if you have no clients that are using this protocol. It is believed that use of liblwres is these days mostly isolated to specific applications/environments that distribute all the necessary components as part of their installation package or appliance.

    More detail on lwesd can be found in the ARM - particularly Chapter 5 and section 6.2.12 as well as the man page for lwresd(8)

Quick Jump Menu