Added multiple experimental tuning features that can be used to optimise recursive server behavior in favor of good client queries, whilst at the same time limiting the impact of 'bad' client queries on local recursive server resource use.
PLEASE NOTE: All of these features are subject to ongoing research and may be modified or dropped in future releases.
For more details on these features please see both the BIND Administrator Reference Manual (ARM) and also the KB article, Recursive Client Rate limiting in BIND 9.9 Subscription Version.
Negative Trust Anchors
The new rndc "nta" command can be used to set a temporary negative trust anchor, which disables DNSSEC validation below a specified name for a specified period of time (not exceeding 1 week.) This can be used when validation for a domain is known to be failing due to a configuration error on the part of the domain owner rather than a spoofing attack. [RT #29358]
By default, negative trust anchors will be automatically tested periodically to see whether data below them can be validated, and if so, they will be allowed to expire early. The "rndc nta -force" option overrides this behaviour. The default NTA lifetime and the recheck frequency can be configured by the "nta-lifetime" and "nta-recheck" named.conf options. [RT #36146]
SERVFAIL Response Caching
SERVFAIL responses can now be cached for a limited time, configured by "servfail-ttl", default 10 seconds, limit 300 (5 minutes.) This can reduce the frequency of retries when an authoritative server is known to be failing, e.g., due to ongoing DNSSEC validation problems. [RT #21347]
Compile-time option, "--with-tuning=large"
"configure --with-tuning=large" adjusts various compiled-in constants and default settings to values suited to large servers with abundant memory. [RT #29538]
Added per-zone stats counters to track TCP and UDP queries. [RT #35375]
Other Minor Feature Changes
- Version printing option was added to various BIND utilities. [RT #26057] [RT #10686]
- Only warn for SPF without TXT spf record. [RT #36210]
- Support for CDS and CDNSKEY resource record types was added. [RT #36333]
ISC is grateful for the support of our BIND 9 subscription customers. Your support allows us to continue improving our software.
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.