Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.9.3-S1 Release Notes
Author: ISC Support Reference Number: AA-00930 Views: 977 Created: 2013-05-23 18:26 Last Updated: 2013-06-13 20:31 100 Rating/ Voters


BIND 9.9.3-S1 is the latest production release of BIND 9.9.3 Subscription Edition.

The BIND Subscription Edition is a special release of BIND featuring new functionality not yet published in the publicly available BIND 9 branch.

This release is branched from BIND 9.9.3, and includes the following added features:

  • Response Rate Limiting, a method of blunting the effect of DNS amplification and reflection atacks.
  • Multiple response policy zones (RPZ) can be configured. RPZ performance is substantially improved.
  • GeoIP ACL support, allowing ACL restrictions based on a client's geographic location (as obtained from the MaxMind GeoIP databases).
  • Support for configuring multiple Dynamically Loadable Zone (DLZ) modules. A specific DLZ database can be identified as the source of a zone configured in named.conf. Type-redirect zones, used for NXDOMAIN redirection, can now be sourced from a DLZ database.
  • Enhanced server statistics, including a new JSON format statistics channel.
  • Support for setting Differentiated Services Code Point (DSCP) values on outgoing traffic.

This document summarizes changes from BIND 9.9.2 to BIND 9.9.3-S1.  For a detailed list of user-visible changes from previous releases, see the CHANGES file. For a specific list of detailed changes that have been applied to the Subscription Edition, see the CHANGES.SE file. For up-to-date release notes and errata, see

Security Fixes
  • Prevents exploitation of a runtime_check which can crash named when satisfying a recursive query for particular malformed zones.  (CVE-2013-3919) [RT #33690]
  • Now supports NAPTR regular expression validation on all platforms, and avoids memory exhaustion compiling pathological regular expressions. (CVE-2013-2266) [RT #32688]
  • Prevents named from aborting with a require assertion failure on servers with DNS64 enabled.  These crashes might occur as a result of specific queries that are received.  (CVE-2012-5688)  [RT #30792 / #30996]
  • Prevents an assertion failure in named when RPZ and DNS64 are used together. (CVE-2012-5689) [RT #32141]
New Features
  • Added Response Rate Limiting (RRL) functionality to reduce the effectiveness of DNS as an amplifier for reflected denial-of-service attacks by rate-limiting substantially-identical responses. [RT #28130]
  • Added support for ACLs based on geographic location obtained from MaxMind GeoIP databases.  Based on code contributed by Ken Brownfield <>. [RT #30681]
  • Adds support for setting Differentiated Services Code Point (DSCP) values in named. Most configuration options which take a "port" option (e.g., listen-on, forwarders, also-notify, masters, notify-source, etc) can now also take a "dscp" option specifying a code point for use with outgoing traffic, if supported by the underlying OS. Note that some network routes may incorrectly drop packets with some DSCP values set. [RT #27596]
  • Added the command-line tool "dnssec-coverage" that checks to make sure that there is no scheduled lapse in key coverage. Requires python. [RT #28098]
  • Added support for a JSON-format statistics channel which allows some subsets of the statistics data to be retrieved independently.  Requires the json-c library. [RT #32630]
  • Added a 'filter-aaaa-on-v6' option; this is similar to the existing 'filter-aaaa-on-v4' but applies to IPv6 connections. (Use "configure --enable-filter-aaaa" to enable both options.) [RT #27308]
  • Now includes, in the community contribution section, a dynamically-loadable DLZ module: BDBHPT, contributed by Mark Goldfinch. [RT #32549] 
  • Adds support for the EUI48 and EUI64 RR types. [RT #33082]
  • Adds support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836]
Feature Changes
  • Changes timing of when slave zones send NOTIFY messages after loading a new copy of the zone.  They now send the NOTIFY before writing the zone data to disk.  This will result in quicker propagation of updates in multi-level server structures. [RT #27242]
  • "rndc status" and XML statistics channel now report server start and reconfiguration times. [RT #21048]
  • The zone-statistics option now takes three options: "full", "terse", and "none".  "yes" is now a synonym for "full".  "no" is now a synonym for "terse", which is how it behaved in previous versions. [RT #29165]
  • Response Policy Zone performance enhancements.  New "response-policy" option "min-ns-dots".  "nsip" and "nsdname" now enabled by default with RPZ. [RT #32251]
  • named now passes client info to the DLZ findzone() entry point in addition to lookup(). This makes it possible for a database to answer differently whether it's authoritative for a name depending on the address of the client. Note that adding this new parameter will impact DLZ drivers which will need to be updated to be compatible.  The DLZ_DLOPEN_VERSION is incremented from 2 to 3 with this change.  [RT #31775] 
  • Multiple DLZ databases can now be configured.  DLZ databases are searched in the order configured, unless set to "search no", in which case a zone can be configured to be retrieved from a particular DLZ database by using a "dlz <name>" option in the zone statement. DLZ databases can support type "master" and "redirect" zones.  [RT #27597]
  • The number of AAAA RRsets that have been synthesized by DNS64 will be recorded and reported via the XML statschannel as "queries answered by DNS64".   [RT #27636] 
  • Adds a way for a specific version of the XML statistics to be requested.  HTTP status 404 is returned if the server does not support the requested version.  Servers are still limited to supporting only one version, selected at compile time. [RT #32481]
  • Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to (as of 3rd January 2013).  Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset.  [RT #32164] 
  • The contributed queryperf utility has been improved, now retaining better round trip time statistics. [RT #30128]
  • dnssec-dsfromkey now no longer puts legal whitespace in DS hashes in order to inter-operate better with some overly-strict registrars.  [RT #31951]
  • Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] 
  • Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL.
    To enable, build BIND with "configure --enable-newstats". [RT #30023]
  • "named -V" can now report a source ID string.  (This is will be of most interest to developers and troubleshooters).  The source ID for ISC's production versions of BIND is defined in the "srcid" file in the build tree and is normally set to the most recent git hash. [RT #31494]
Bug Fixes
  • Added additional diagnostic messages to the 'dig' command when errors are returned in response to EDNS queries.  Added documentation on the '+noedns' option to the 'dig' command help text. [RT #33363]
  • Avoids race condition in data structure initialization with accepting new socket connections. [RT #33084]
  • Correct initialization errors in libdns when built in libexport mode. [RT #33028]
  • Fixes memory leaks in contrib/query-loc. [RT #32960]
  • Fixes resource leaks and a buffer overrun in contrib/zkt. [RT #32960]
  • Fixes memory leak when using ECDSA. [RT #32249]
  • Prevents a crash-on-shutdown race condition. [RT #32777]
  • Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753]
  • Now properly detects and rejects additional malformed unknown rdata records. [RT #33129]
  • Fixes a glitch in displaying query data when configured with --enable-newstats and no queries have yet been received. [RT #32620]
  • Allow max-cache-size and max-acache-size to accept values greater than 4 gigabytes when built with 64-bit integers.  "unlimited" still means 4 gigabytes - 1 and "0" still allows truly unlimited cache sizes. [RT #32358]
  • Removed lock contention issues that slowed zone loading times for 9.9.x compared with 9.8.x.  Zone loading times are now faster than they were with 9.8.x. [RT #30399]
  • Fixes a crash bug with the loading of incomplete configurations including a slave zone with inline-signing and without a file name. [RT #31946]
  • Fixes a couple of linked-list pointer initialization bugs. [RT #32651]
  • Fixes a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649]
  • Fixes a potential crash when adding and deleting keys with rndc. [RT #32506]
  • Fixes rendering issues for some statistics with the XML stats channel. [RT #32587] 
  • Increases the log level of messages about setting up zone statistics to reduce their performance impact on startup. [RT #32525]
  • Fixes some potential memory leaks with gssapi usage. [RT #32405]
  • nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897] 
  • Corrected dnssec-signzone and dnssec-verify behavior with opt-out delegations and NSEC3. [RT #32072]
  • The default value for the number of UDP dispatchers is now either the number of CPUs or the number of worker threads, whichever is lower.  The previous default was the number of worker threads. [RT #30964]
  • Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276]
  • DLZ enhancements improving failure handling and backwards compatibility. [RT #32275]
  • dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719]
  • Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]
  • ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927] 
  • Missing 'managed-keys-directory' is now handled better.  Prior to this change, when misconfigured, named could loop and consume 100% CPU.  [RT #30625] 
  • Now only the programs that use the readline library will link with it (nslookup and nsupdate). [RT #29810]
  • When using 'rndc addzone' of a zone with with 'inline-signing yes;' named will first load the unsigned version and then afterwards successfully create the signed version.  (Prior to this fix, the addzone would fail).  [RT #31960] 
  • dnssec-checkds now emits a clear message when records are not found. This change also fixes a minor reporting problem whereby dnssec-checkds incorrectly reported that no DS records had been found for a KSK, despite having found and listed one. In addition, errors in the man pages (referencing the wrong utility) have been remedied. [RT #31968] 
  • Addresses portability issues (encountered when testing on HPUX) and corrects "rndc signing -nsec3param" to accept the full range of possible values.  [RT #31938]
  • Named should no longer die on shutdown if running with 128 UDP dispatches per interface. [RT #31743] 
  • Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now accepted in slave zone definitions in named.conf when inline-signing is being used. [RT #31078]
  • Addresses build problems encountered on NetBSD 6.0 (renames the 'bool' parameter to avoid a namespace clash).  [RT #31515] 
  • When using the zone reload method of importing changes to named with in-line signing, changes to SOA record parameters (other than the serial number alone) in the un-signed zone will now trigger named to update the signed version of the zone.  Prior to this fix, if SOA parameters were updated while the server was offline but without any changes also being made to other records in the zone, then those changes would not be picked up when the server was restarted/reloaded. [RT #29272] 
  • named-checkconf now detects missing master lists in also-notify clauses. [RT #30810]
  • Improves locking performance when recursing. (This change implements several different strategies for reducing lock contention, specifically relating to the internal structures that are used when handling upstream queries). [RT #28836]
  • When recursing, named now uses multiple dispatch objects for sending upstream queries; this can improve performance on busy multiprocessor systems by reducing lock contention, particularly when the cache hit rate is low. [RT #28605]
  • Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778]
  • Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237]
  • Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012]
  • Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682]
  • Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response.  (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant).  [RT #32329]
  • When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that.  In the situation where it appears that none is provided, it uses an internal default.  This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack.  [RT #32230]
  • The allow-query-on ACL is now processed correctly in all situations.  [RT #29486] 
  • The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231]
  • When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN.  The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed.  Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended.   [RT #31848] 
  • Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSEC responses could fail to include the NSEC/NSEC3 records proving the lack of a better answer.  [RT #21409]
  • Prevents a named abort  (assertion fail) during recovery from an out of memory condition.  This crash would be encountered in module general: dst_api.c and logged as REQUIRE((&key->refs)->refs == 0).  [RT #32131]
  • A new configure option --with-ecdsa has been added to force building with ECDSA, bypassing the script-based checks that this functionality is available in the build environment. The converse, --without-ecdsa, explicitly disables ECDSA support during the BIND build.  Both of these options have been added to assist cross-compilation to environments that do (or don't) support ECDSA, overriding the default build behaviour.   [RT #32078] 
  • XML statistics generated by Windows builds contained incorrectly formatted "boot-time" and "current-time" values.  [RT #32044]
  • dig now prints the timezone as part of the timestamp in the "WHEN" line of the output.  [RT #2269]
  • Fixes a race condition in acache.c that could cause named to crash if the acache feature was enabled.  [RT #31908]
  • Prevents named from consuming high CPU resources when re-signing if all keys are offline.  [RT #31916] 
  • Addresses compilation issues when using the GNU build VPATH feature.  [RT #31879]
  • Fixes a race condition when DNSSEC validation is canceled (e.g. by server shutdown).  [RT #31804]
  • Prevents crashes on startup of named, dig and other utilities from 64-bit builds of BIND in the Solaris 11 environment.  Compilers inadvertently created a 64-bit-aligned instruction/32-bit-aligned pointer issue in an area of code that is shared between many of the BIND binaries.   Copying the timeval structure from control message data before using it prevents this from happening.  [RT #31548] 
  • Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to UDP.   This change addresses TCP query failures that are due to delays in learning the working PMTU when communicating via tunneled IPv6. [RT #31690] 
  • Fixes compilation errors when building with ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG non-optional. [RT #31559] 
  • Prevents named from terminating unexpectedly during on very busy high-end servers that are using the additional section cache ("acache-enable yes;"). [RT #31253] 
  • When re-signing a zone, dnssec-signzone now removes RRSIG and NSEC records from nodes that used to be in-zone but are now below a zone cut. This situation is most likely to arise following the delegation of a subdomain where the glue (A and AAAA) records for the nameservers used to be included in the parent zone, but other scenarios are also possible. [RT #31556] 
  • Silences unnecessarily noisy OpenSSL logging by suppressing some warning messages and moving others to the "dnssec" logging category.  Note that the increased logging was introduced by  change 3354 (RT #29932).  [RT #31497]
  • Implements a collection of minor changes in response to warnings generated by several source code validation utilities. No instances of problems have been reported, but these code changes improve the future reliability and resilience of BIND9. [RT #31484, RT #31626] 
  • dig no longer crashes when using +nssearch with +tcp. [RT #25298] 
  • OPT records are no longer removed from signed truncated query responses.  Receipt of these responses might cause recursive servers to incorrectly identify the sending servers as unable to support EDNS0.  [RT #31439]
  • Message 'sucessfully validated after lower casing signer' is now logged at debug level 1 and has been moved to category "dnssec".   (The misspelling is also corrected).   RT #31414]
  • "host -C" should no longer crash with a core dump if REFUSED is received.  This behaviour was an underlying cause of intermittent and often unreproducible crashes which have been experienced by users of the host command.  [RT #31381] 
  • Correct initialization errors in libdns when built in libexport mode. [RT #33028]
  • A DNSKEY lookup that encounters a CNAME will now no longer return SERVFAIL.  This failure mode might have been observed in named's logfiles as a resolver format error "CNAME response for DNSKEY RR". [RT #31262]
  • dig now consistently returns NOERROR in TSIG; prior to this change it would occasionally display '0' instead. [RT #31275]
  • Prevents a named hang (due to a violation of lock ordering that can lead to a deadlock between threads) that may occur in some situations when generating new NSEC / NSEC3 chains. [RT #31224] 
  • Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports" ranges appropriately.  Prior to this change the IPv6 port range was applied to all SOA refresh queries.  Most of the time this behaviour would be unnoticed because the IPv6 port range is seldom configured separately and defaults to the IPv4 port range.  But if an administrator chose to specify a null IPv6 port range ("use-v6-udp-ports { };") on a slave server, SOA refresh queries would be completely disabled.  [RT #24173]
  • named could die if a non-existant master list was referenced in an "also-notify" statement. [RT #31004] 
  • In some cases, servers were being marked as not supporting EDNS despite not receiving a successful response [RT #30811]
  • Parsing tests for 32 bit integers will now return a range error on systems that support 64-bit longs. This change may impact administrators who have mistakenly been using serial numbers greater than 2**32 in their zone files (for example, using format YYYYMMDDXXXX) and whose zones loaded, but should have been rejected. The loaded zones would have appeared to be functioning correctly, but in some instances could suffer from operational problems (for example, when enabling IXFR).  [RT #30232] 
  • Silences spurious "deleted from unreachable cache" messages. [RT #30501] 
  • When receiving a query with AD=1 named will now behave in the same way as when DO=1 is set when deciding whether to add NS RRsets to the additional section or not.  Prior to this change, when a reply was constructed to a query with DO=1 and if  the answer section was signed and valid then named wouldn't add untrusted NS RRsets to the additional section.  But if with AD=1 (and DO=0) in the query, then it might have added available but untrusted RRsets to the response, at the same time setting AD=0.  [RT #30479]
Thank You

ISC is grateful for the support of our BIND 9 subscription customers, which allows us to continue improving our software.

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu