BIND 9.9.6-P1 Release Notes
| Author: Cathy Almond Reference Number: AA-01224 Views: 9587 Created: 2014-12-08 13:07 Last Updated: 2014-12-08 19:18
0 Rating/ Voters
BIND 9.9.6-P1 is is a security fix release of BIND 9.9, an Extended Support Version (ESV) of BIND 9.
This document summarizes the feature changes from BIND 9.9.5 to BIND 9.9.6-P1. Entries marked with (**) indicate changes since 9.9.6.
Please see the CHANGES file in the source code release for a complete list of all changes, including bug fixes.
- A flaw in delegation handling could be exploited to put named into an infinite loop, in which each lookup of a name server triggered additional lookups of more name servers. This has been addressed by placing limits on the number of levels of recursion named will allow (default 7), and on the number of queries that it will send before terminating a recursive query (default 50). The recursion depth limit is configured via the max-recursion-depth option, and the query limit via the max-recursion-queries option. The flaw was discovered by Florian Maury of ANSSI. For more information, see the security advisory at https://kb.isc.org/article/AA-01216/. [CVE-2014-8500] [RT #37580] (**)
The following issues were discovered prior to the release of BIND 9.9.6-P1 but were not considered important enough to stop the release and will instead be addressed in BIND 9.9.7 and future versions. Workarounds and/or patches are available:
- A minor bugfix added to BIND 9.9.6, 9.8.8 and 9.10.0 introduced a regression that causes the nsupdate(8) utility to fail to resolve (and thus fail to send updates to) the SOA MNAME host in some cases. For more details see https://kb.isc.org/article/AA-01220.
- Refinements to EDNS fallback behavior in BIND
9.9.6 and 9.10.1 may prevent named (running as a recursive server) from
attempting a final query using UDP without EDNS0 in some rare
situations where prior queries using EDNS0 with both and TCP did not
obtain usable answers. For more details see https://kb.isc.org/article/AA-01219/.
- Support for CAA record types, as described in RFC 6844 "DNS Certification Authority Authorization (CAA) Resource Record", was added. [RT#36625] [RT #36737]
"request-ixfr" from being specified in zone statements where it is not
valid (it is only valid for slave and redirect zones) [RT #36608]
for CDS and CDNSKEY resource record types was added. For details see
the proposed Informational Internet-Draft "Automating DNSSEC Delegation Trust Maintenance" at http://tools.ietf.org/html/draft-ietf-dnsop-delegation-trust-maintainance-14. [RT #36333]
- Added version printing options to various BIND utilities. [RT #26057] [RT #10686]
- On Windows, enable the Python tools "dnssec-coverage" and "dnssec-checkds". [RT #34355]
a "no-case-compress" ACL, which causes named to use case-insensitive
compression (disabling change #3645) for specified clients. (This is
useful when dealing with broken client implementations that use
case-sensitive name comparisons, rejecting responses that fail to match
the capitalization of the query that was sent.) [RT #35300]
RPZ SOA to the additional section of responses to clearly indicate the
use of RPZ in a manner that is intended to avoid causing issues for
downstream resolvers and forwarders [RT #36507]
- rndc now gives distinct error messages when an unqualified zone name matches multiple views vs. matching no views [RT #36691]
- Improves the accuracy of dig's reported round trip times. [RT #36611]
- The Windows installer now places files in the Program Files area rather than system services. [RT #35361]
an SPF record exists in a zone but no equivalent TXT record does, a
warning will be issued. The warning for the reverse condition is no
longer issued. See the check-spf option in the documentation for
details. [RT #36210]
- "named" will now log explicitly when using rndc.key to configure command channel. [RT #35316]
default setting for the -U option (setting the number of UDP listeners
per interface) has been adjusted to improve performance. [RT #35417]
of smoothed round-trip time measurements is now limited to no more than
once per second, to improve accuracy in selecting the best name server.
- DNSSEC keys that have been marked active but have no publication date are no longer presumed to be publishable. [RT #35063]
- the Makefile in bin/python was changed to work around a bmake bug in FreeBSD 10 and NetBSD 6. [RT #36993]
- Corrected bugs in the handling of wildcard records by the DNSSEC validator:
invalid wildcard expansions could be treated as valid if signed, and
valid wildcard expansions in NSEC3 opt-out ranges had the AD bit set
incorrectly in responses. [RT #37093] [RT #37072]
resigning, dnssec-signzone was removing all signatures from delegation
nodes. It now retains DS and (if applicable) NSEC signatures. [RT
- The AD flag was being set inappopriately on RPZ responses. [RT #36833]
the URI record type to current draft standard, draft-faltstrom-uri-08,
and allows the value field to be zero length [RT #36642] [RT #36737]
sets that were not loaded in a single transaction at start up were not
being correctly added to re-signing heaps. [RT #36302]
- Setting '-t aaaa' in .digrc had unintended side-effects. [RT #36452]
- A race condition could cause a crash in isc_event_free during shutdown. [RT #36720]
- Addresses a race condition issue in dispatch. [RT #36731]
- acl elements could be miscounted, causing a crash while loading a config [RT #36675]
- Corrects a deadlock between view.c and adb.c. [RT #36341]
- liblwres wasn't properly handling link-local addresses in nameserver clauses in resolv.conf. [RT #36039]
- Buffers in isc_print_vsnprintf were not properly initialized leading to potential overflows when printing out quad values. [RT #36505]
call qsort() with a null pointer, and disable the GCC 4.9 "delete null
pointer check" optimizer option. This fixes problems when using GNU GCC
4.9.0 where its compiler code optimizations may cause crashes in BIND. For more information, see the operational advisory at https://kb.isc.org/article/AA-01167/. [RT #35968]
- Fixed a bug that could cause repeated resigning of records in dynamically signed zones. [RT #35273]
- Fixed a bug that could cause an assertion failure after forwarding was disabled. [RT #35979]
- Fixed a bug that caused SERVFAILs when using RPZ on a system configured as a forwarder. [RT #36060]
around a limitation in Solaris's /dev/poll implementation that could
cause named to fail to start when configured to use more sockets than
the system could accomodate. [RT #35878]
The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.
Professional support is provided by Internet Systems Consortium, Inc., doing business as DNSco. Information about paid support options is available at http://www.dns-co.com/solutions/. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list/.
you to everyone who assisted us in making this release possible. If you
would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at http://www.isc.org/donate/.
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.