BIND 9.10.1 is the latest production release of BIND 9.10.
This document summarizes feature changes from BIND 9.10.0 to BIND 9.10.1. Entries marked with (**) indicate changes since 9.10.1rc2
Please see the CHANGES file in the source code release for a complete list of all changes, including bug fixes.
A Special Note on BIND 9.10 Memory Usage
Linux users who are switching to the BIND 9.10 branch should be advised that in 9.10 the default build behavior for Linux has changed. Prior to 9.10 the default for "--enable-threads" was false, but since 9.10.0 threaded builds have been the default on Linux (as they previously were on many other platforms). Threaded servers are capable of considerably higher queries-per-second throughput; however, they use more memory. This should be taken into consideration when building for systems with limited memory.
In addition to this expected increase in size, some users of BIND 9.10.0 have recently reported unexpected continuous growth in memory usage of the named process over time. These reports were received late in the development cycle, and though we delayed release for several days to investigate, we have not been able to reproduce the problem on our own servers. We cannot say with certainty whether these reports indicate a bug, or if so, what fraction of BIND 9.10 servers may be affected.
As we continue to investigate, we would appreciate assistance from the BIND community. If you are running BIND 9.10.0 or BIND 9.10.1 and observe unexpected memory growth from your named process, please collect as much supporting information as you can (the article at https://kb.isc.org/article/AA-01208 describes what would be most helpful to our developers) and report your findings to email@example.com using a Subject: header containing the words "BIND 9.10 memory growth". Thank you in advance.
The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.
Professional support is provided by Internet Systems Consortium, Inc.. Information about paid support options is available at http://www.isc.org/services/. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list/.
- A query specially crafted to exploit a defect in EDNS option processing could cause named to terminate with an assertion failure, due to a missing isc_buffer_availablelength() check when formatting packet contents for logging. For more information, see the security advisory at https://kb.isc.org/article/AA-01166/. [CVE-2014-3859] [RT #36078]
- A programming error in the prefetch feature could cause named to crash with a "REQUIRE" assertion failure in name.c. For more information, see the security advisory at https://kb.isc.org/article/AA-01161/. [CVE-2014-3214] [RT #35899]
- Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
- Disallow "request-ixfr" from being specified in zone statements where it is not valid (it is only valid for slave and redirect zones) [RT #36608]
- Support for CDS and CDNSKEY resource record types was added. For details see the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
- Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
- Optionally allows libseccomp-based (secure computing mode) system-call filtering on Linux. This sandboxing mechanism may be used to isolate "named" from various system resources. Use "configure --enable-seccomp" at build time to enable it. Thank you to Loganaden Velvindron of AFRINIC for the contribution. [RT #35347]
- "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945]
- Adds RPZ SOA to the additional section of responses to clearly indicate the use of RPZ in a manner that is intended to avoid causing issues for downstream resolvers and forwarders [RT #36507]
- rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
- Improves the accuracy of dig's reported round trip times. [RT #36611]
- When an SPF record exists in a zone but no equivalent TXT record does, a warning will be issued. The warning for the reverse condition is no longer issued. See the check-spf option in the documentation for details. [RT #36210]
- Aging of smoothed round-trip time measurements is now limited to no more than once per second, to improve accuracy in selecting the best name server. [RT #32909]
- DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
- the Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993] (**)
- Corrected bugs in the handling of wildcard records by the DNSSEC validator: invalid wildcard expansions could be treated as valid if signed, and valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set incorrectly in responses. [RT #37093] [RT #37072]
- An assertion failure could occur if a route event arrived while shutting down. [RT #36887]
- When resigning, dnssec-signzone was removing all signatures from delegation nodes. It now retains DS and (if applicable) NSEC signatures. [RT #36946]
- The AD flag was being set inappopriately on RPZ responses. [RT #36833]
- Updates the URI record type to current draft standard, draft-faltstrom-uri-08, and allows the value field to be zero length [RT #36642] [RT #36737]
- On some platforms, overhead from DSCP tagging caused a performance regression between BIND 9.9 and BIND 9.10. [RT #36534]
- RRSIG sets that were not loaded in a single transaction at start up were not being correctly added to re-signing heaps. [RT #36302]
- Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
- Fixed a bug where some updated policy zone contents could be ignored due to stale RPZ summary information [RT #35885]
- A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
- Addresses some problems with unrecoverable lookup failures. [RT #36330]
- Addresses a race condition issue in dispatch. [RT #36731]
- acl elements could be miscounted, causing a crash while loading a config [RT #36675]
- Corrects a deadlock between view.c and adb.c. [RT #36341]
- liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
- Disable the GCC 4.9 "delete null pointer check" optimizer option, and refactor dns_rdataslab_fromrdataset() to separate out the handling of an rdataset with no records. This fixes problems when using GNU GCC 4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
- Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
- Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
- Fixed a bug that caused GeoIP ACLs not to work when referenced indirectly via named or nested ACLs. [RT #35879]
- FIxed a bug that could cause problems with cache cleaning when SIT was enabled. [RT #35858]
- Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
- Worked around a limitation in Solaris's /dev/poll implementation that could cause named to fail to start when configured to use more sockets than the system could accomodate. [RT #35878]
- Fixed a bug that could cause an assertion failure when inserting and deleting parent and child nodes in a response-policy zone. [RT #36272]
Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.
© 2001-2016 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.