Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.9.8-S1 Release Notes
Author: ISC Support Reference Number: AA-01307 Views: 23153 Created: 2015-09-16 02:57 Last Updated: 2015-09-16 02:57 100 Rating/ 1 Voters


This document summarizes changes since the last production release of BIND on the corresponding major release branch.


The latest versions of BIND 9 software can always be found at There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

Security Fixes

  • An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]

  • A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.

    This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]

  • A specially crafted query could trigger an assertion failure in message.c.

    This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]

  • On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.

    This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]

New Features

  • The fetches-per-server and fetches-per-zone options have been updated to take an additional argument, drop or fail, indicating whether queries that exceed the quota should be dropped or answered with SERVFAIL.

  • The experimental client-drop-policy option has been deprecated.

  • Statistics counters have been added to track the number of queries spilled due to the fetches-per-server and fetches-per-zone quotas.

  • The serial number of a dynamically updatable zone can now be set using rndc signing -serial number zonename. This is particularly useful with inline-signing zones that have been reset. Setting the serial number to a value larger than that on the slaves will trigger an AXFR-style transfer.

  • When answering recursive queries, SERVFAIL responses can now be cached by the server for a limited time; subsequent queries for the same query name and type will return another SERVFAIL until the cache times out. This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive serviers. The SERVFAIL cache timeout is controlled by servfail-ttl, which defaults to 10 seconds and has an upper limit of 30.

  • The new rndc nta command can now be used to set a "negative trust anchor" (NTA), disabling DNSSEC validation for a specific domain; this can be used when responses from a domain are known to be failing validation due to administrative error rather than because of a spoofing attack. NTAs are strictly temporary; by default they expire after one hour, but can be configured to last up to one week. The default NTA lifetime can be changed by setting the nta-lifetime in named.conf. When added, NTAs are stored in a file (viewname.nta) in order to persist across restarts of the named server.

  • The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing geoip or ecs elements can match against the the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network.

  • The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave server.

  • A new masterfile-style zone option controls the formatting of text zone files: When set to full, the zone file will dumped in single-line-per-record format.

  • dig +ednsopt can now be used to set arbitrary EDNS options in DNS requests.

  • dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests.

  • dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation.

  • dig +header-only can now be used to send queries without a question section.

  • dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds.

  • dig +zflag can be used to set the last unassigned DNS header flag bit. This bit in normally zero.

  • dig +dscp=value can now be used to set the DSCP code point in outgoing query packets.

  • serial-update-method can now be set to date. On update, the serial number will be set to the current date in YYYYMMDDNN format.

  • dnssec-signzone -N date also sets the serial number to YYYYMMDDNN.

  • named -L filename causes named to send log messages to the specified file by default instead of to the system log.

  • The rate limiter configured by the serial-query-rate option no longer covers NOTIFY messages; those are now separately controlled by notify-rate and startup-notify-rate (the latter of which controls the rate of NOTIFY messages sent when the server is first started up or reconfigured).

  • The default number of tasks and client objects available for serving lightweight resolver queries have been increased, and are now configurable via the new lwres-tasks and lwres-clients options in named.conf. [RT #35857]

  • Log output to files can now be buffered by specifying buffered yes; when creating a channel.

  • delv +tcp will exclusively use TCP when sending queries.

  • named will now check to see whether other name server processes are running before starting up. This is implemented in two ways: 1) by refusing to start if the configured network interfaces all return "address in use", and 2) by attempting to acquire a lock on a file specified by the lock-file option or the -X command line option. The default lock file is /var/run/named/named.lock. Specifying none will disable the lock file check.

  • rndc delzone can now be applied to zones which were configured in named.conf; it is no longer restricted to zones which were added by rndc addzone. (Note, however, that this does not edit named.conf; the zone must be removed from the configuration or it will return when named is restarted or reloaded.)

  • rndc modzone can be used to reconfigure a zone, using similar syntax to rndc addzone.

  • rndc showzone displays the current configuration for a specified zone.

  • Added server-side support for pipelined TCP queries. Clients may continue sending queries via TCP while previous queries are processed in parallel. Responses are sent when they are ready, not necessarily in the order in which the queries were received.

    To revert to the former behavior for a particular client address or range of addresses, specify the address prefix in the "keep-response-order" option. To revert to the former behavior for all clients, use "keep-response-order { any; };".

  • The new mdig command is a version of dig that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting the response before sending the next. [RT #38261]

  • To enable better monitoring and troubleshooting of RFC 5011 trust anchor management, the new rndc managed-keys can be used to check status of trust anchors or to force keys to be refreshed. Also, the managed-keys data file now has easier-to-read comments. [RT #38458]

    >>>>>>> ae86c13... [rt37125a] CHANGES, notes
  • An --enable-querytrace configure switch is now available to enable very verbose query tracelogging. This option can only be set at compile time. This option has a negative performance impact and should be used only for debugging.

  • The nxdomain-redirect option specifies a DNS namespace to use for NXDOMAIN redirection. When a recursive lookup returns NXDOMAIN, a second lookup is initiated with the specified name appended to the query name. This allows NXDOMAIN redirection data to be supplied by multiple zones configured on the server or by recursive queries to other servers. (The older method, using a single type redirect zone, has better average performance but is less flexible.) [RT #37989]

  • EDNS COOKIE options content is now displayed as "COOKIE: <hexvalue>".

Feature Changes

  • Large inline-signing changes should be less disruptive. Signature generation is now done incrementally; the number of signatures to be generated in each quantum is controlled by "sig-signing-signatures number;". [RT #37927]

  • Retrieving the local port range from net.ipv4.ip_local_port_range on Linux is now supported.

  • Active Directory names of the form gc._msdcs.<forest> are now accepted as valid hostnames when using the check-names option. <forest> is still restricted to letters, digits and hyphens.

  • Names containing rich text are now accepted as valid hostnames in PTR records in DNS-SD reverse lookup zones, as specified in RFC 6763. [RT #37889]

Bug Fixes

  • Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]

  • A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]

  • Some answer formatting options didn't work correctly with dig +short. [RT #39291]

  • Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]

  • Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]

  • The default rrset-order of random was inconsistently applied. [RT #40456]

  • BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]

  • Several bugs have been fixed in the RPZ implementation:

    • Policy zones that did not specifically require recursion could be treated as if they did; consequently, setting qname-wait-recurse no; was sometimes ineffective. This has been corrected. In most configurations, behavioral changes due to this fix will not be noticeable. [RT #39229]

    • The server could crash if policy zones were updated (e.g. via rndc reload or an incoming zone transfer) while RPZ processing was still ongoing for an active query. [RT #39415]

    • On servers with one or more policy zones configured as slaves, if a policy zone updated during regular operation (rather than at startup) using a full zone reload, such as via AXFR, a bug could allow the RPZ summary data to fall out of sync, potentially leading to an assertion failure in rpz.c when further incremental updates were made to the zone, such as via IXFR. [RT #39567]

    • The server could match a shorter prefix than what was available in CLIENT-IP policy triggers, and so, an unexpected action could be taken. This has been corrected. [RT #39481]

    • The server could crash if a reload of an RPZ zone was initiated while another reload of the same zone was already in progress. [RT #39649]

    • Query names could match against the wrong policy zone if wildcard records were present. [RT #40357]

End of Life

The BIND 9.9 (Extended Support Version) will be supported until June, 2017.

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu