DNS BIND今天放出各产品线的最新版本9.9.3,9.8.5.2013-05-28.进过2个RC.之前的版本是2012-10-09的9.9.2/9.8.4。尽管BIND 10已经发布,但因为改动太大,可能更多人使用的还是BIND9.
完全改进:
BIND 9.9.3 is the latest production release of BIND 9.9.
This document summarizes changes from BIND 9.9.2 to BIND 9.9.3.
Please see the CHANGES file in the source code release for a
complete list of all changes.
Download
The latest versions of BIND 9 software can always be found on
our web site at http://www.isc.org/downloads/all. There you will
find additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options.
Free support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
Now supports NAPTR regular expression validation on all platforms,
and avoids memory exhaustion compiling pathological regular
expressions. (CVE-2013-2266) [RT #32688]
Prevents named from aborting with a require assertion failure
on servers with DNS64 enabled. These crashes might occur as a
result of specific queries that are received. (CVE-2012-5688)
[RT #30792 / #30996]
Prevents an assertion failure in named when RPZ and DNS64 are
used together. (CVE-2012-5689) [RT #32141]
New Features
Adds a new configuration option, "check-spf"; valid values are
"warn" (default) and "ignore". When set to "warn", checks SPF
and TXT records in spf format, warning if either resource record
type occurs without a corresponding record of the other resource
record type. [RT #33355]
Adds the command-line tool "dnssec-coverage" that checks to make
sure that there is no scheduled lapse in key coverage. Requires
python. [RT #28098]
Adds support for the EUI48 and EUI64 RR types. [RT #33082]
Adds support for the RFC 6742 ILNP record types (NID, LP, L32,
and L64). [RT #31836]
Feature Changes
Changes timing of when slave zones send NOTIFY messages after
loading a new copy of the zone. They now send the NOTIFY before
writing the zone data to disk. This will result in quicker
propagation of updates in multi-level server structures. [RT
#27242]
Adds a way for a specific version of the XML statistics to be
requested. HTTP status 404 is returned if the server does not
support the requested version. Servers are still limited to
supporting only one version, selected at compile time. [RT #32481]
Updates the built-in root hints for D.ROOT-SERVERS.NET whose
IPv4 address changed to 199.7.91.13 (as of 3rd January 2013).
Note that recursive servers running with an older set of root
hints will still operate successfully because there are 12 other
root servers whose addresses are correct and who will respond
during root priming with the new root nameserver RRset. [RT
#32164]
The contributed queryperf utility has been improved, now retaining
better round trip time statistics. [RT #30128]
The zone-statistics option now takes three options: "full",
"terse", and "none". "yes" is now a synonym for "full". "no"
is now a synonym for "terse", which is how it behaved in previous
versions. [RT #29165]
dnssec-dsfromkey now no longer puts legal whitespace in DS hashes
in order to inter-operate better with some overly-strict registrars.
[RT #31951]
Adds RFC 6598 reverse zones to the built-in empty zones list:
64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336]
Makes available a new XML schema (version 3.0) for the statistics
channel that adds query type statistics at the zone level,
flattens the XML tree and uses compressed format to optimize
parsing. It also includes new XSL that permits charting via the
Google Charts API on browsers that support javascript in XSL.
To enable, build BIND with "configure --enable-newstats". [RT #30023]
"named -V" can now report a source ID string. (This is will be
of most interest to developers and troubleshooters). The source
ID for ISC's production versions of BIND is defined in the "srcid"
file in the build tree and is normally set to the most recent
git hash. [RT #31494]
Response Policy Zone performance enhancements. New "response-policy"
option "min-ns-dots". "nsip" and "nsdname" now enabled by default
with RPZ. [RT #32251]
Now includes, in the community contribution section, a
dynamically-loadable DLZ module: BDBHPT, contributed by Mark
Goldfinch. [RT #32549]
Bug Fixes
Added additional diagnostic messages to the 'dig' command when
errors are returned in response to EDNS queries. Added documentation
on the '+noedns' option to the 'dig' command help text. [RT #33363]
isc-config.sh did not honour includedir and libdir when set via
configure. [RT #33345]
Fixed a crash in nsupdate when used with the -r command-line
option [RT #33280]
Fixed a bug that prevented the IXFR of DLZ-stored zones. [RT #33331]
Fixed a bug that caused zones of type 'redirect' to always report
a failure during 'rndc reload'. This aborted the reload processing.
[RT #33292]
Address a possible race condition in acache.c [RT #33252]
Now properly detects and rejects additional malformed unknown
rdata records. [RT #33129]
Fixed a bug with NSID that could break DNSSEC due to invalid
EDNS options being sent [RT #33153]
Avoids a race condition in data structure initialization with
accepting new socket connections. [RT #33084]
Fixed memory leak when using ECDSA. [RT #32249]
Fixed memory leaks in contrib/query-loc. [RT #32960]
Fixed resource leaks and a buffer overrun in contrib/zkt. [RT #32960]
Correct initialization errors in libdns when built in libexport
mode. [RT #33028]
Allow max-cache-size and max-acache-size to accept values greater
than 4 gigabytes when built with 64-bit integers. "unlimited"
still means 4 gigabytes - 1 and "0" still allows truly unlimited
cache sizes. [RT #32358]
Removed lock contention issues that slowed zone loading times
for 9.9.x compared with 9.8.x. Zone loading times are now faster
than they were with 9.8.x. [RT #30399]
The default value for the number of UDP dispatchers is now either
the number of CPUs or the number of worker threads, whichever
is lower. The previous default was the number of worker threads.
[RT #30964]
Fixed a crash bug with the loading of incomplete configurations
including a slave zone with inline-signing and without a file
name. [RT #31946]
Corrected dnssec-signzone and dnssec-verify behavior with opt-out
delegations and NSEC3. [RT #32072]
Fixed rendering issues for some statistics with the XML stats
channel. [RT #32587]
Prevent a crash-on-shutdown race condition. [RT #32777]
Fixed glitch in displaying query data when configured with
--enable-newstats and no queries have yet been received. [RT #32620]
Fixed bug where expired slave zones could fail to rewrite the
zone data file after the master is again available. [RT #31276]
Fixed a potential crash when adding and deleting keys with rndc.
[RT #32506]
Fixed a possible crash with Diffie-Hellman generated TSIG keys.
[RT #32649]
Increased maximum allowed key size for some algorithms in
ddns-confgen and rndc-confgen. [RT #32753]
nsupdate could exit with an assertion when the local and remote
address families didn't match. [RT #22897]
Fixes some potential memory leaks with gssapi usage. [RT #32405]
Fixes a couple of linked-list pointer initialization bugs. [RT #32651]
dnssec-keygen and dnssec-setttime disallow setting the delete
date to be sooner than the inactive date. [RT #31719]
Update HSM PKCS#11 patches to openssl to add support for openssl
versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749]
ddns-confgen now accepts all the TSIG algorithms that it is
documented as supporting when generating keys. [RT #31927]
Missing 'managed-keys-directory' is now handled better. Prior
to this change, when misconfigured, named could loop and consume
100% CPU. [RT #30625]
Now only the programs that use the readline library will link
with it (nslookup and nsupdate). [RT #29810]
When using 'rndc addzone' of a zone with with 'inline-signing
yes;' named will first load the unsigned version and then
afterwards successfully create the signed version. (Prior to
this fix, the addzone would fail). [RT #31960]
dnssec-checkds now emits a clear message when records are not
found. This change also fixes a minor reporting problem whereby
dnssec-checkds incorrectly reported that no DS records had been
found for a KSK, despite having found and listed one. In addition,
errors in the man pages (referencing the wrong utility) have
been remedied. [RT #31968]
Addresses portability issues (encountered when testing on HPUX)
and corrects "rndc signing -nsec3param" to accept the full range
of possible values. [RT #31938]
Named should no longer die on shutdown if running with 128 UDP
dispatches per interface. [RT #31743]
Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval,
dnssec-dnskey-kskonly) are now accepted in slave zone definitions
in named.conf when inline-signing is being used. [RT #31078]
Addresses build problems encountered on NetBSD 6.0 (renames the
'bool' parameter to avoid a namespace clash). [RT #31515]
When using the zone reload method of importing changes to named
with in-line signing, changes to SOA record parameters (other
than the serial number alone) in the un-signed zone will now
trigger named to update the signed version of the zone. Prior
to this fix, if SOA parameters were updated while the server was
offline but without any changes also being made to other records
in the zone, then those changes would not be picked up when the
server was restarted/reloaded. [RT #29272]
named-checkconf now detects missing master lists in also-notify
clauses. [RT #30810]
Improves locking performance when recursing. (This change
implements several different strategies for reducing lock
contention, specifically relating to the internal structures
that are used when handling upstream queries). [RT #28836]
When recursing, named now uses multiple dispatch objects for
sending upstream queries; this can improve performance on busy
multiprocessor systems by reducing lock contention, particularly
when the cache hit rate is low. [RT #28605]
Handle cases where a port is reserved and cannot be used as the
source for a query. [RT #31778]
Correct a case where a negative response could incorrectly be
flagged as being DNSSEC authenticated when it was not actually
authenticated. [RT #32237]
Fix missing includes in testing support library that caused it
to fail to build on some platforms. [RT #32012]
Return correct error code (FORMERR) when presented with malformed
requests containing overly long domain names. [RT #29682]
Instead of rejecting and logging a FORMERR, named now accepts
duplicate singleton records in a DNS query response. (In some
situations, query responses may contain duplicates - and whilst
this is not technically correct, BIND has been updated to be
more tolerant). [RT #32329]
When named allocates an initial per-thread stack size, it first
checks the operating system's default value, and if specified,
uses that. In the situation where it appears that none is
provided, it uses an internal default. This default has been
increased from 64K to 1M to accommodate operating systems that
require a larger initial stack. [RT #32230]
The allow-query-on ACL is now processed correctly in all situations.
[RT #29486]
The configure script now supports and detects libxml2-2.9.x
correctly. [RT #32231]
When loading a zone file, named now emits a warning if it
encounters a non-blank owner name following $ORIGIN. The reason
for this is that when parsing a zone file, the blank owner name
indicates that the current name (i.e. the name from the previous
record that named loaded) should be used, even though $ORIGIN
has changed. Particularly when handling subdomains, this can
result in those records being unexpectedly loaded with different
labels than intended. [RT #31848]
Resolves a problem that when answering queries for nonexistent
names via wildcard CNAME records, DNSSECresponses could fail to
include the NSEC/NSEC3 records proving the lack of a better
answer. [RT #21409]
Prevents a named abort (assertion fail) during recovery from
an out of memory condition. This crash would be encountered in
module general: dst_api.c and logged as REQUIRE((&key->refs)->refs
== 0). [RT #32131]
A new configure option --with-ecdsa has been added to force
building with ECDSA, bypassing the script-based checks that this
functionality is available in the build environment. The converse,
--without-ecdsa, explicitly disables ECDSA support during the
BIND build. Both of these options have been added to assist
cross-compilation to environments that do (or don't) support
ECDSA, overriding the default build behaviour. [RT #32078]
XML statistics generated by Windows builds contained incorrectly
formatted "boot-time" and "current-time" values. [RT #32044]
dig now prints the timezone as part of the timestamp in the
"WHEN" line of the output. [RT #2269]
Fixes a race condition in acache.c that could cause named to
crash if the acache feature was enabled. [RT #31908]
Prevents named from consuming high CPU resources when re-signing
if all keys are offline. [RT #31916]
Addresses compilation issues when using the GNU build VPATH
feature. [RT #31879]
Fixes a race condition when DNSSEC validation is canceled (e.g.
by server shutdown). [RT #31804]
Prevents crashes on startup of named, dig and other utilities
from 64-bit builds of BIND in the Solaris 11 environment.
Compilers inadvertently created a 64-bit-aligned
instruction/32-bit-aligned pointer issue in an area of code that
is shared between many of the BIND binaries. Copying the timeval
structure from control message data before using it prevents
this from happening. [RT #31548]
Uses IPV6_USE_MIN_MTU (or equivalent) with TCP in addition to
UDP. This change addresses TCP query failures that are due to
delays in learning the working PMTU when communicating via
tunneled IPv6. [RT #31690]
Fixes compilation errors when building with ISC_MEM_TRACKLINES
or ISC_MEMPOOL_NAMES disabled and also makes ISC_MEM_DEBUG
non-optional. [RT #31559]
Prevents named from terminating unexpectedly during on very busy
high-end servers that are using the additional section cache
("acache-enable yes;"). [RT #31253]
When re-signing a zone, dnssec-signzone now removes RRSIG and
NSEC records from nodes that used to be in-zone but are now below
a zone cut. This situation is most likely to arise following the
delegation of a subdomain where the glue (A and AAAA) records
for the nameservers used to be included in the parent zone, but
other scenarios are also possible. [RT #31556]
Silences unnecessarily noisy OpenSSL logging by suppressing some
warning messages and moving others to the "dnssec" logging
category. Note that the increased logging was introduced by
change 3354 (RT #29932). [RT #31497]
Implements a collection of minor changes in response to warnings
generated by several source code validation utilities. No instances
of problems have been reported, but these code changes improve
the future reliability and resilience of BIND9. [RT #31484, RT #31626]
dig no longer crashes when using +nssearch with +tcp. [RT #25298]
OPT records are no longer removed from signed truncated query
responses. Receipt of these responses might cause recursive
servers to incorrectly identify the sending servers as unable
to support EDNS0. [RT #31439]
Message 'sucessfully validated after lower casing signer' is now
logged at debug level 1 and has been moved to category "dnssec".
(The misspelling is also corrected). [RT #31414]
"host -C" should no longer crash with a core dump if REFUSED is
received. This behaviour was an underlying cause of intermittent
and often unreproducible crashes which have been experienced by
users of the host command. [RT #31381]
A DNSKEY lookup that encounters a CNAME will now no longer return
SERVFAIL. This failure mode might have been observed in named's
logfiles as a resolver format error "CNAME response for DNSKEY
RR". [RT #31262]
dig now consistently returns NOERROR in TSIG; prior to this
change it would occasionally display '0' instead. [RT #31275]
Prevents a named hang (due to a violation of lock ordering that
can lead to a deadlock between threads) that may occur in some
situations when generating new NSEC / NSEC3 chains. [RT #31224]
Slave SOA queries now observe "use-v4-udp-ports" and "use-v6-udp-ports"
ranges appropriately. Prior to this change theIPv6 port range
was applied to all SOA refresh queries. Most of the time this
behaviour would be unnoticed because theIPv6 port range is seldom
configured separately and defaults to the IPv4 port range. But
if an administrator chose to specify a null IPv6 port range
("use-v6-udp-ports { };") on a slave server, SOA refresh queries
would be completely disabled. [RT #24173]
named could die if a non-existant master list was referenced in
an "also-notify" statement. [RT #31004]
In some cases, servers were being marked as not supporting EDNS
despite not receiving a successful response [RT #30811]
Parsing tests for 32 bit integers will now return a range error
on systems that support 64-bit longs. This change may impact
administrators who have mistakenly been using serial numbers
greater than 2**32 in their zone files (for example, using format
YYYYMMDDXXXX) and whose zones loaded, but should have been
rejected. The loaded zones would have appeared to be functioning
correctly, but in some instances could suffer from operational
problems (for example, when enabling IXFR). [RT #30232]
Silences spurious "deleted from unreachable cache" messages. [RT #30501]
When receiving a query with AD=1 named will now behave in the
same way as when DO=1 is set when deciding whether to add NS
RRsets to the additional section or not. Prior to this change,
when a reply was constructed to a query with DO=1 and if the
answer section was signed and valid then named wouldn't add
untrusted NS RRsets to the additional section. But if with AD=1
(and DO=0) in the query, then it might have added available but
untrusted RRsets to the response, at the same time setting AD=0.
[RT #30479]
