PageRenderTime 42ms CodeModel.GetById 38ms app.highlight 1ms RepoModel.GetById 1ms app.codeStats 0ms

/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.txt

https://bitbucket.org/freebsd/freebsd-head/
Plain Text | 268 lines | 245 code | 23 blank | 0 comment | 0 complexity | ca9b29a8caf429cd87d2bff834059278 MD5 | raw file
  1     __________________________________________________________________
  2
  3Introduction
  4
  5   BIND 9.8.1 is the current production release of BIND 9.8.
  6
  7   This document summarizes changes from BIND 9.8.0 to BIND 9.8.1. Please
  8   see the CHANGES file in the source code release for a complete list of
  9   all changes.
 10
 11Download
 12
 13   The latest versions of BIND 9 software can always be found on our web
 14   site at http://www.isc.org/downloads/all. There you will find
 15   additional information about each release, source code, and some
 16   pre-compiled versions for certain operating systems.
 17
 18Support
 19
 20   Product support information is available on
 21   http://www.isc.org/services/support for paid support options. Free
 22   support is provided by our user community via a mailing list.
 23   Information on all public email lists is available at
 24   https://lists.isc.org/mailman/listinfo.
 25
 26New Features
 27
 289.8.1
 29
 30     * Added a new include file with function typedefs for the DLZ
 31       "dlopen" driver. [RT #23629]
 32     * Added a tool able to generate malformed packets to allow testing of
 33       how named handles them. [RT #24096]
 34     * The root key is now provided in the file bind.keys allowing DNSSEC
 35       validation to be switched on at start up by adding
 36       "dnssec-validation auto;" to named.conf. If the root key provided
 37       has expired, named will log the expiration and validation will not
 38       work. More information and the most current copy of bind.keys can
 39       be found at http://www.isc.org/bind-keys. *Please note this feature
 40       was actually added in 9.8.0 but was not included in the 9.8.0
 41       release notes. [RT #21727]
 42
 43Security Fixes
 44
 459.8.1
 46
 47     * If named is configured with a response policy zone (RPZ) and a
 48       query of type RRSIG is received for a name configured for RRset
 49       replacement in that RPZ, it will trigger an INSIST and crash the
 50       server. RRSIG. [RT #24280]
 51     * named, set up to be a caching resolver, is vulnerable to a user
 52       querying a domain with very large resource record sets (RRSets)
 53       when trying to negatively cache the response. Due to an off-by-one
 54       error, caching the response could cause named to crash. [RT #24650]
 55       [CVE-2011-1910]
 56     * Using Response Policy Zone (RPZ) to query a wildcard CNAME label
 57       with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
 58       query type independant. [RT #24715]
 59     * Using Response Policy Zone (RPZ) with DNAME records and querying
 60       the subdomain of that label can cause named to crash. Now logs that
 61       DNAME is not supported. [RT #24766]
 62     * Change #2912 populated the message section in replies to UPDATE
 63       requests, which some Windows clients wanted. This exposed a latent
 64       bug that allowed the response message to crash named. With this
 65       fix, change 2912 has been reduced to copy only the zone section to
 66       the reply. A more complete fix for the latent bug will be released
 67       later. [RT #24777]
 68
 69Feature Changes
 70
 719.8.1
 72
 73     * Merged in the NetBSD ATF test framework (currently version 0.12)
 74       for development of future unit tests. Use configure --with-atf to
 75       build ATF internally or configure --with-atf=prefix to use an
 76       external copy. [RT #23209]
 77     * Added more verbose error reporting from DLZ LDAP. [RT #23402]
 78     * The DLZ "dlopen" driver is now built by default, no longer
 79       requiring a configure option. To disable it, use "configure
 80       --without-dlopen". (Note: driver not supported on win32.) [RT
 81       #23467]
 82     * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
 83     * Make --with-gssapi default for ./configure. [RT #23738]
 84     * Improved the startup time for an authoritative server with a large
 85       number of zones by making the zone task table of variable size
 86       rather than fixed size. This means that authoritative servers with
 87       lots of zones will be serving that zone data much sooner. [RT
 88       #24406]
 89     * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
 90       list of empty zones. [RT #24990]
 91
 92Bug Fixes
 93
 949.8.1
 95
 96     * During RFC5011 processing some journal write errors were not
 97       detected. This could lead to managed-keys changes being committed
 98       but not recorded in the journal files, causing potential
 99       inconsistencies during later processing. [RT #20256]
100     * A potential NULL pointer deference in the DNS64 code could cause
101       named to terminate unexpectedly. [RT #20256]
102     * A state variable relating to DNSSEC could fail to be set during
103       some infrequently-executed code paths, allowing it to be used
104       whilst in an unitialized state during cache updates, with
105       unpredictable results. [RT #20256]
106     * A potential NULL pointer deference in DNSSEC signing code could
107       cause named to terminate unexpectedly [RT #20256]
108     * Several cosmetic code changes were made to silence warnings
109       generated by a static code analysis tool. [RT #20256]
110     * When using the -x (sign with only KSK) option on dnssec-signzone,
111       it could incorrectly count the number of ZSKs in the zone. (And in
112       9.9.0, some code cleanup and improved warning messages). [RT
113       #20852]
114     * When using _builtin in named.conf, named.conf changes were not
115       found when reloading the config file. Now checks _builtin zone
116       arguments to see if the zone is re-usable or not. [RT #21914]
117     * Running dnssec-settime -f on an old-style key will now force the
118       key to be rewritten to the new key format even if no other change
119       has been specified, using "-P now -A now" as default values. [RT
120       #22474]
121     * After an external code review, a code cleanup was done. [RT #22521]
122     * Cause named to terminate at startup or rndc reconfig reload to
123       fail, if a log file specified in the conf file isn't a plain file.
124       (RT #22771]
125     * named now forces the ADB cache time for glue related data to zero
126       instead of relying on TTL. This corrects problematic behavior in
127       cases where a server was authoritative for the A record of a
128       nameserver for a delegated zone and was queried to recursively
129       resolve records within that zone. [RT #22842]
130     * When a validating resolver got a NODATA response for DNSKEY, it was
131       not caching the NODATA. Fixed and test added. [RT #22908]
132     * Fixed a bug in which zone keys that were published and but not
133       immediately activated, automatic signing could fail to trigger. [RT
134       #22911]
135     * Fixed precedence order bug with NS and DNAME records if both are
136       present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
137     * When a DNSSEC signed dynamic zone's signatures need to be
138       refreshed, named would first delete the old signatures in the zone.
139       If a private key of the same algorithm isn't available to named,
140       the signing would fail but the old signatures would already be
141       deleted. named now checks if it can access the private key before
142       deleting the old signatures and leaves the old signature if no
143       private key is found. [RT #23136]
144     * When using "auto-dnssec maintain" and rolling to a new key, a
145       private-type record (only used internally by named) could be
146       created and not marked as complete. [RT #23253]
147     * Fixed last autosign test report. [RT #23256]
148     * named didn't save gid at startup and later assumed gid 0. named now
149       saves/restores the gid when creating creating named.pid at startup.
150       [RT #23290]
151     * If the server has an IPv6 address but does not have IPv6
152       connectivity to the internet, dig +trace could fail attempting to
153       use IPv6 addresses. [RT #23297]
154     * If named is configured with managed zones, the managed key maint
155       timer can exercise a race condition that can crash the server. [RT
156       #23303]
157     * Changing TTL did not cause dnssec-signzone to generate new
158       signatures. [RT #23330]
159     * Have the validating resolver use RRSIG original TTL to compute
160       validated RRset and RRSIG TTL. [RT #23332]
161     * In "make test" bin/tests/resolver, hold the socket manager lock
162       while freeing the socket. [RT #23333]
163     * If named encountered a CNAME instead of a DS record when walking
164       the chain of trust down from the trust anchor, it incorrectly
165       stopped validating. [RT #23338]
166     * dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in HEADERS
167       variable. [RT #23342]
168     * RRSIG records could have time stamps too far in the future. [RT
169       #23356]
170     * named stores cached data in an in-memory database and keeps track
171       of how recently the data is used with a heap. The heap is stored
172       within the cache's memory space. Under a sustained high query load
173       and with a small cache size, this could lead to the heap exhausting
174       the cache space. This would result in cache misses and SERVFAILs,
175       with named never releasing the cache memory the heap used up and
176       never recovering. This fix removes the heap into its own memory
177       space, preventing the heap from exhausting the cache space and
178       allowing named to recover gracefully when the high query load
179       abates. [RT #23371]
180     * Fully separated key management on a per view basis. [RT #23419]
181     * If running on a powerpc CPU and with atomic operations enabled,
182       named could lock up. Added sync instructions to the end of atomic
183       operations. [RT #23469]
184     * If OpenSSL was built without engine support, named would have
185       compile errors and fail to build. [RT #23473]
186     * If ./configure finds GOST but not elliptic curve, named fails to
187       build. Added elliptic curve support check in GOST OpenSSL engine
188       detection. [RT #23485]
189     * "rndc secroots" would abort on the first error and so could miss
190       remaining views. [RT #23488]
191     * Handle isc_event_allocate failures in t_tasks test. [RT #23572]
192     * ixfr-from-differences {master|slave}; failed to select the
193       master/slave zones, resulting in on diff/journal file being
194       created. [RT #23580]
195     * If a DNAME substitution failed, named returned NOERROR. The correct
196       response should be YXDOMAIN. [RT #23591]
197     * dns_dnssec_findzonekeys{2} used a inconsistant timestamp when
198       determining which keys are active. This could result in some RRsets
199       not being signed/re-signed. [RT #23642]
200     * Remove bin/tests/system/logfileconfig/ns1/named.conf and add
201       setup.sh in order to resolve changing named.conf issue. [RT #23687]
202     * NOTIFY messages were not being sent when generating a NSEC3 chain
203       incrementally. [RT #23702]
204     * DDNS updates using SIG(0) with update-policy match type "external"
205       could cause a crash. Also fixed nsupdate core dump on shutdown when
206       using a SIG(0) key, due to the key not being freed. [RT #23735]
207     * Zones using automatic key maintenance could fail to check the key
208       repository for updates. named now checks once per hour and the
209       automatic check bug has been fixed. [RT #23744]
210     * named now uses the correct strtok/strtok_r/strtok_s based on OS.
211       [RT #23747]
212     * Signatures for records at the zone apex could go stale due to an
213       incorrect timer setting. [RT #23769]
214     * The autosign tests attempted to open ports within reserved ranges.
215       Test now avoids those ports. [RT #23957]
216     * GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to
217       be cached. Now sets KRB5_KTNAME before calling log_cred() in
218       dst_gssapi_acceptctx(). [RT #24004]
219     * named, acting as authoritative server for DLZ zones, was not
220       correctly setting the authoritative (AA) bit. [RT #24146]
221     * Clean up some cross-compiling issues and added two undocumented
222       configure options, --with-gost and --with-rlimtype, to allow
223       over-riding default settings (gost=no and rlimtype="long int") when
224       cross-compiling. [RT #24367]
225     * When trying sign with NSEC3, if dnssec-signzone couldn't find the
226       KSK, it would give an incorrect error "NSEC3 iterations too big for
227       weakest DNSKEY strength" rather than the correct "failed to find
228       keys at the zone apex: not found" [RT #24369]
229     * Configuring 'dnssec-validation auto' in a view instead of in the
230       options statement could trigger an assertion failure in
231       named-checkconf. [RT #24382]
232     * Improved consistency checks for dnssec-enable and
233       dnssec-validation, added test cases to the checkconf system test.
234       [RT #24398]
235     * If named is configured to be both authoritative and recursive and
236       receives a recursive query for a CNAME in a zone that it is
237       authoritative for, if that CNAME also points to a zone the server
238       is authoritative for, the recursive part of name will not follow
239       the CNAME change and the response will not be a complete CNAME
240       chain. [RT #24455]
241     * nsupdate could dump core on shutdown when using SIG(0) keys. [RT
242       #24604]
243     * Named could fail to validate zones list in a DLV that validated
244       insecure without using DLV and had DS records in the parent zone.
245       [RT #24631]
246     * dnssec-signzone now records timestamps just before and just after
247       signing, improving the accuracy of signing statistics. [RT #16030]
248     * If allow-new-zones was set to yes and name-based ACLs were used,
249       named could crash when "rndc reconfig" was issued. [RT #22739]
250     * RT #23136 fixed a problem where named would delete old signatures
251       even when the private key wasn't available to re-sign the zone,
252       resulting in a zone with missing signatures. This fix (CHANGES
253       3114) did not completely fix all issues. [RT #24577]
254     * A bug in FreeBSD kernels causes IPv6 UDP responses greater than
255       1280 bytes to not fragment as they should. Until there is a kernel
256       fix, named will work around this by setting IPV6_USE_MIN_MTU on a
257       per packet basis. [RT #24950]
258
259Known issues in this release
260
261     * None.
262
263Thank You
264
265   Thank you to everyone who assisted us in making this release possible.
266   If you would like to contribute to ISC to assist us in continuing to
267   make quality open source software, please visit our donations page at
268   http://www.isc.org/supportisc.