Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.9.9-S1rc1 Release Notes
Author: ISC Support Reference Number: AA-01376 Views: 1961 Created: 2016-04-18 20:00 Last Updated: 2016-04-18 20:01 0 Rating/ Voters

Introduction

BIND 9.9.9-S1rc1 is a development release of BIND9 Supported Preview Edition, a special feature preview edition of BIND available to ISC customers.

This document summarizes significant changes since the last production release of BIND on the corresponding major release branch. Please see the CHANGES file for a further list of bug fixes and other changes.

Download

The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

Security Fixes

  • The resolver could abort with an assertion failure due to improper DNAME handling when parsing fetch reply messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]

  • Malformed control messages can trigger assertions in named and rndc. This flaw is disclosed in CVE-2016-1285. [RT #41666]

  • A flag could be set in the wrong field when setting up nonrecursive queries; this could cause the SERVFAIL cache to cache responses it shouldn't, and in some circumstances lead to an assertion failure. New querytrace logging has been added which identified this error. Because of the possibility of an assertion with some configurations, this flaw has been disclosed in CVE-2016-1284. [RT #41155]

  • Specific APL data could trigger an INSIST. This flaw is disclosed in CVE-2015-8704. [RT #41396]

  • Incorrect reference counting could result in an INSIST failure if a socket error occurred while performing a lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945]

  • Insufficient testing when parsing a message allowed records with an incorrect class to be be accepted, triggering a REQUIRE failure when those records were subsequently cached. This flaw is disclosed in CVE-2015-8000. [RT #40987]

  • An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]

  • A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.

    This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]

  • A specially crafted query could trigger an assertion failure in message.c.

    This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]

  • On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.

    This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]

  • Named is potentially vulnerable to the OpenSSL vulnerabilty described in CVE-2015-3193.

New Features

  • Added support for dnstap, a fast, flexible method for capturing and logging DNS traffic, developed by Robert Edmonds at Farsight Security, Inc., whose assistance is gratefully acknowledged.

    To enable dnstap at compile time, the fstrm and protobuf-c libraries must be available, and BIND must be configured with --enable-dnstap.

    A new utility dnstap-read has been added to allow dnstap data to be presented in a human-readable format.

    For more information on dnstap, see http://dnstap.info.

  • The following resource record types have been implemented: AVC, CSYNC, NINFO, RKEY, SINK, SMIMEA, TA, TALINK.

  • A read-only option is now available in the controls statement to grant non-destructive control channel access. In such cases, a restricted set of rndc commands are allowed, which can report information from named, but cannot reconfigure or stop the server. By default, the control channel access is not restricted to these read-only operations.

  • Added a warning for a common misconfiguration involving forwarded RFC 1918 and IPv6 ULA (Universal Local Address) zones.

  • Contributed software from Nominum is included in the source at contrib/dnsperf-2.1.0.0-1/. It includes dnsperf for measuring the performance of authoritative DNS servers, resperf for testing the resolution performance of a caching DNS server, resperf-report for generating a resperf report in HTML with gnuplot graphs, and queryparse to extract DNS queries from pcap capture files. This software is not installed by default with BIND.

  • When loading a signed zone, named will now check whether an RRSIG's inception time is in the future, and if so, it will regenerate the RRSIG immediately. This helps when a system's clock needs to be reset backwards.

Feature Changes

  • Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET.

  • The default value for servfail-ttl has been reduced from 10 seconds to 1; the maximum value has been reduced from 300 seconds to 30. [RT #37556]

  • The default preferred glue is now the address type of the transport the query was received over.

  • On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.

  • Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.

  • named -V output now also includes operating system details.

Porting Changes

  • The Microsoft Windows install tool BINDInstall.exe which requires a non-free version of Visual Studio to be built, now uses two files (lists of flags and files) created by the Configure perl script with all the needed information which were previously compiled in the binary. Read win32utils/build.txt for more details. [RT #38915]

Bug Fixes

  • rndc flushtree now works even if there wasn't a cached node at the specified name. [RT #41846]

  • Don't emit records with zero TTL unless the records were received with a zero TTL. After being returned to waiting clients, the answer will be discarded from the cache. [RT #41687]

  • When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997] [RT #41941]

  • Negative trust anchors (NTAs) were incorrectly deleted when the server was reloaded or reconfigured. [RT #41058]

  • The server could crash due to a use-after-free if a zone transfer timed out. [RT #41297]

  • Negative trust anchors (NTAs) were incorrectly deleted when the server was reloaded or reconfigured. [RT #41058]

  • Some of the options for GeoIP ACLs, including "areacode", "metrocode", and "timezone", were incorrectly documented as "area", "metro" and "tz". Both the long and abbreviated versions are now accepted.

  • Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321]

End of Life

BIND 9.9 (Extended Support Version) will be supported until December, 2017. BIND 9.9-S (Supported Preview Edition) releases will continue to be published in tandem with BIND 9.9 releases until the Supported Preview Edition moves to new branch, which may happen before BIND 9.9 reaches end of life, but not later. See https://www.isc.org/downloads/software-support-policy/

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.


© 2001-2016 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us know below how we can improve this article.

If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu