BIND 9.10.4b3 Release Notes
| Author: ISC Support Reference Number: AA-01373 Views: 2015 Created: 2016-03-30 19:06 Last Updated: 2016-03-30 19:06
0 Rating/ Voters
This document summarizes significant changes since the last
production release of BIND on the corresponding major release
Please see the CHANGES file for a further list of bug fixes and
The latest versions of BIND 9 software can always be found at
There you will find additional information about each release,
source code, and pre-compiled versions for Microsoft Windows
Duplicate EDNS COOKIE options in a response could trigger
an assertion failure. This flaw is disclosed in CVE-2016-2088.
The resolver could abort with an assertion failure due to
improper DNAME handling when parsing fetch reply
messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
Malformed control messages can trigger assertions in named
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
Certain errors that could be encountered when printing out
or logging an OPT record containing a CLIENT-SUBNET option
could be mishandled, resulting in an assertion failure.
This flaw is disclosed in CVE-2015-8705. [RT #41397]
Specific APL data could trigger an INSIST. This flaw
is disclosed in CVE-2015-8704. [RT #41396]
Incorrect reference counting could result in an INSIST
failure if a socket error occurred while performing a
lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. This flaw is disclosed
in CVE-2015-8000. [RT #40987]
The following resource record types have been implemented:
AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.
Added a warning for a common misconfiguration involving forwarded
RFC 1918 and IPv6 ULA (Universal Local Address) zones.
Contributed software from Nominum is included in the source at
contrib/dnsperf-184.108.40.206-1/. It includes dnsperf for measuring
the performance of authoritative DNS servers, resperf for
testing the resolution performance of a caching DNS server,
resperf-report for generating a resperf report in HTML with
gnuplot graphs, and queryparse to extract DNS queries from
pcap capture files. This software is not installed by default
When loading a signed zone, named will
now check whether an RRSIG's inception time is in the future,
and if so, it will regenerate the RRSIG immediately. This helps
when a system's clock needs to be reset backwards.
Updated the compiled-in addresses for H.ROOT-SERVERS.NET
The default preferred glue is now the address type of the
transport the query was received over.
On machines with 2 or more processors (CPU), the default value
for the number of UDP listeners has been changed to the number
of detected processors minus one.
Zone transfers now use smaller message sizes to improve
message compression. This results in reduced network usage.
named -V output now also includes operating system details.
The Microsoft Windows install tool
BINDInstall.exe which requires a
non-free version of Visual Studio to be built, now uses two
files (lists of flags and files) created by the Configure
perl script with all the needed information which were
previously compiled in the binary. Read
win32utils/build.txt for more details.
rndc flushtree now works even if there wasn't a cached node
at the specified name. [RT #41846]
Don't emit records with zero TTL unless the records were
received with a zero TTL. After being returned to waiting
clients, the answer will be discarded from the cache. [RT #41687]
For Windows platforms, the SIT (Source Identity Token) support
was restored. (It was mistakenly partially replaced in a
previous beta with new 9.11 COOKIE support.) [RT #41905]
When deleting records from a zone database, interior nodes
could be left empty but not deleted, damaging search
performance afterward. [RT #40997] [RT #41941]
The server could crash due to a use-after-free if a
zone transfer timed out. [RT #41297]
Authoritative servers that were marked as bogus (e.g. blackholed
in configuration or with invalid addresses) were being queried
anyway. [RT #41321]
Some of the options for GeoIP ACLs, including "areacode",
"metrocode", and "timezone", were incorrectly documented
as "area", "metro" and "tz". Both the long and abbreviated
versions are now accepted.
Zones configured to use map format
master files can't be used as policy zones because RPZ
summary data isn't compiled when such zones are mapped into
memory. This limitation may be fixed in a future release,
but in the meantime it has been documented, and attempting
to use such zones in response-policy
statements is now a configuration error. [RT #38321]
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.