|
BIND 9.9.4-S1-P1 Release Notes
Author: Reference Number: AA-01070 Views: 3312 Created: 2013-11-06 19:37 Last Updated: 2013-11-06 19:56 |
0 Rating/ Voters
|
    |
Introduction
BIND 9.9.4-S1-P1 is the latest production release for the BIND 9.9 Subscription Edition.
The BIND Subscription Edition is a special release of
BIND featuring new functionality not yet published in the
publicly available BIND 9 branch.
This release is branched from BIND 9.9.4, and includes the
following features:
- Response Rate Limiting, a method of blunting the effect
of DNS amplification and reflection attacks.
- Multiple response policy zones (RPZ) can be configured.
RPZ performance is substantially improved.
- GeoIP ACL support, allowing ACL restrictions based on
a client's geographic location (as obtained from the
MaxMind GeoIP databases).
-
Support for configuring multiple Dynamically Loadable
Zone (DLZ) modules. A specific DLZ database can be
identified as the source of a zone configured in named.conf.
Type-redirect zones, used for NXDOMAIN redirection, can now
be sourced from a DLZ database.
- Enhanced server statistics, including a new JSON format
statistics channel.
-
Support for setting Differentiated Services Code Point (DSCP)
values on outgoing traffic.
This
document summarizes changes from BIND 9.9.3-S1 to BIND 9.9.4-S1-P1. For a detailed list of user-visible changes from
previous releases, see the CHANGES file. For a specific
list of detailed changes that have been applied to the
Subscription Edition, see the CHANGES.SE file.
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
Security Fixes
- Treat an all zero netmask as invalid when generating the localnets acl. A
Winsock library call on some Windows systems can return an incorrect
value for an interface's netmask, potentially causing unexpected matches
to BIND's built-in "localnets" Access Control List. (CVE-2013-6230) [RT #34687]
- Previously an error in bounds checking on the private type 'keydata' could be used to deny service through a deliberately triggerable REQUIRE failure (CVE-2013-4854). [RT #34238]
- Prevents
exploitation of a runtime_check which can crash named when satisfying a
recursive query for particular malformed zones. (CVE-2013-3919) [RT
#33690]
New Features- "rndc
flushtree" now flushes matching records in the address database and bad
cache as well as the DNS cache. Previously only the DNS cache was
flushed. [RT #33790]
Feature Changes
- rndc status now also shows the build-id. [RT #20422]
- Improved OPT pseudo-record processing to make it easier to support new EDNS options. [RT #34414]
- "configure" now finishes by printing a summary of optional BIND features
and whether they are active or inactive. ("configure
--enable-full-report" increases the verbosity of the summary.) [RT
#31777]
- Addressed compatibility issues with newer versions of Microsoft Visual Studio. [RT #33916]
- Improved the 'rndc' man page. [RT #33506]
- 'named -g' now no longer works with an invalid logging configuration. [RT #33473]
- The default (and minimum) value for tcp-listen-queue is now 10 instead
of 3. This is a subtle control setting (not applicable to all OS
environments). When there is a high rate of inbound TCP connections, it
controls how many connections can be queued before they are accepted
by named. Once this limit is exceeded, new TCP connections will be
rejected. Note however that a value of 10 does not imply a strict limit
of 10 queued TCP connections - the impact of changing this
configuration setting will be OS-dependent. Larger values for
tcp-listen queue will permit more pending tcp connections, which may be
needed where there is a high rate of TCP-based traffic (for example in a
dynamic environment where there are frequent zone updates and
transfers). For most production servers the new default value of 10
should be adequate. [RT #33029]
- Added support for OpenSSL versions 0.9.8y, 1.0.0k, and 1.0.1e with PKCS#11. [RT #33463]
- Added logging messages on slave servers when they forward DDNS updates to a master. [RT #33240]
Bug Fixes
-
Fixed the "allow-query-on" option to correctly check the destination address. [RT #34590]
- Fix forwarding for forward only "zones" beneath automatic empty zones. [RT #34583]
- Fix DNSSEC auto maintenance so signatures can be removed from a zone with only KSK keys for an algorithm. [RT #34439]
- Fix DNSSEC auto maintenance so signatures from newly inactive keys are removed (when publishing a new key while deactivating another key at the same time). [RT #32178]
- Remove bogus warning log message about missing signatures when receiving a query for a SIG record. [RT #34600]
- Fix Response Policy Zones on slave servers so new RPZ changes take effect. [RT #34450]
- Fix the "zone-statistics" option to work with the default traditional statistics (not new "--enable-newstats" feature). [RT #34466]
- Restore RPZ "recursive-only no;" to working order when delegation is needed. [RT #33776]
- Eliminate an unnecessary lock/unlock cycle when incrementing cache statistics which was causing a performance drop under heavy load. [RT #34339]
- named could crash when deleting inline-signing zones with "rndc delzone". [RT #34066]
- Improved resistance to a theoretical authentication attack based on differential timing. [RT #33939]
- named was failing to answer queries during "rndc reload" [RT #34098]
- win32: Some executables had been omitted from the installer. [RT #34116]
- Fixed a broken 'Invalid keyfile' error message in dnssec-keygen. [RT #34045]
- The build of BIND now installs isc/stat.h so that it's available to
/isc/file.h when building other applications that reference these header
files - for example dnsperf (see Debian bug ticket #692467). [RT
#33056]
- Better handle failures building XML for stats channel responses. [RT #33706]
- Fixed a memory leak in GSS-API processing. [RT #33574]
- Fixed an acache-related race condition that could cause a crash. [RT #33602]
- rndc now properly fails when given an invalid '-c' argument. [RT #33571]
- Fixed an issue with the handling of zero TTL records that could cause improper SERVFAILs. [RT #33411]
- Fixed a crash-on-shutdown race condition with DNSSEC validation. [RT #33573]
- Corrected the way that "rndc addzone" and "rndc delzone" handle non-standard characters in zone names. [RT #33419]
- Adjusted RRL behavior for recursive queries to defer rate-limiting until
after recursion is complete. Also uses correct rcode for slipped
NXDOMAIN responses. [RT #33604]
- Previously, BIND could erroneously report a missing file specification when using inline slave zones [RT #33662]
Thank YouISC is grateful for the support of our BIND 9 subscription customers, which allows us to continue improving our software.
© 2001-2018 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.
|
|
|
|
|
|
|
|