<!-- - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. --> <!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title></title> <meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> </head> <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"> <div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="id-1.2"></a>Release Notes for BIND Version 9.11.6</h2></div></div></div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> <p> This document summarizes changes since the last production release on the BIND 9.11 (Extended Support Version) branch. Please see the <code class="filename">CHANGES</code> file for a further list of bug fixes and other changes. </p> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_download"></a>Download</h3></div></div></div> <p> The latest versions of BIND 9 software can always be found at <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. </p> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_license"></a>License Change</h3></div></div></div> <p> With the release of BIND 9.11.0, ISC changed to the open source license for BIND from the ISC license to the Mozilla Public License (MPL 2.0). </p> <p> The MPL-2.0 license requires that if you make changes to licensed software (e.g. BIND) and distribute them outside your organization, that you publish those changes under that same license. It does not require that you publish or disclose anything other than the changes you made to our software. </p> <p> This requirement will not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing it without changes. Therefore, this change will be without consequence for most individuals and organizations who are using BIND. </p> <p> Those unsure whether or not the license change affects their use of BIND, or who wish to discuss how to comply with the license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top"> https://www.isc.org/mission/contact/</a>. </p> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div> <p> As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported platforms for BIND; "XP" binaries are no longer available for download from ISC. </p> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"> <p> <span class="command"><strong>named</strong></span> could crash during recursive processing of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] </p> </li> <li class="listitem"> <p> When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span> and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] </p> </li> <li class="listitem"> <p> Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] </p> </li> <li class="listitem"> <p> <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC security root with <span class="command"><strong>managed-keys</strong></span> and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] </p> </li> <li class="listitem"> <p> <span class="command"><strong>named</strong></span> leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] </p> </li> <li class="listitem"> <p> Zone transfer controls for writable DLZ zones were not effective as the <span class="command"><strong>allowzonexfr</strong></span> method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] </p> </li> </ul></div> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_features"></a>New Features</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"> <p> <span class="command"><strong>named</strong></span> now supports the "root key sentinel" mechanism. This enables validating resolvers to indicate which trust anchors are configured for the root, so that information about root key rollover status can be gathered. To disable this feature, add <span class="command"><strong>root-key-sentinel no;</strong></span> to <code class="filename">named.conf</code>. </p> </li> <li class="listitem"> <p> Added the ability not to return a DNS COOKIE option when one is present in the request. To prevent a cookie being returned, add <span class="command"><strong>answer-cookie no;</strong></span> to <code class="filename">named.conf</code>. [GL #173] </p> <p> <span class="command"><strong>answer-cookie no</strong></span> is only intended as a temporary measure, for use when <span class="command"><strong>named</strong></span> shares an IP address with other servers that do not yet support DNS COOKIE. A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary. </p> </li> <li class="listitem"> <p> Two new update policy rule types have been added <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span> which allow machines with Kerberos principals to update the name space at or below the machine names identified in the respective principals. </p> </li> </ul></div> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_removed"></a>Removed Features</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"> <p> <span class="command"><strong>named</strong></span> will now log a warning if the old BIND now can be compiled against libidn2 library to add IDNA2008 support. Previously BIND only supported IDNA2003 using (now obsolete) idnkit-1 library. </p> </li></ul></div> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"> <p> <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN processing on the input domain name, when BIND is compiled with IDN support. </p> </li> <li class="listitem"> <p> Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now supported. The first <span class="command"><strong>cookie-secret</strong></span> in <code class="filename">named.conf</code> is used to generate new server cookies. Any others are used to accept old server cookies or those generated by other servers using the matching <span class="command"><strong>cookie-secret</strong></span>. </p> </li> <li class="listitem"> <p> The <span class="command"><strong>rndc nta</strong></span> command could not differentiate between views of the same name but different class; this has been corrected with the addition of a <span class="command"><strong>-class</strong></span> option. [GL #105] </p> </li> <li class="listitem"> <p> When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when the standard output is not a tty (e.g. not used by human). The command line options +idnin and +idnout need to be used to enable IDN processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span> is used from the shell scripts. </p> </li> </ul></div> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"> <p> When a negative trust anchor was added to multiple views using <span class="command"><strong>rndc nta</strong></span>, the text returned via <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the first line, making it appear that only one NTA had been added. This has been fixed. [GL #105] </p> </li> <li class="listitem"> <p> <span class="command"><strong>named</strong></span> now rejects excessively large incremental (IXFR) zone transfers in order to prevent possible corruption of journal files which could cause <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339] </p> </li> <li class="listitem"> <p> <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span> to leak memory if it was invoked before the zone loading actions from a previous <span class="command"><strong>rndc reload</strong></span> command were completed. [RT #47076] </p> </li> </ul></div> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="end_of_life"></a>End of Life</h3></div></div></div> <p> BIND 9.11 (Extended Support Version) will be supported until at least December, 2021. See <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> for details of ISC's software support policy. </p> </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_thanks"></a>Thank You</h3></div></div></div> <p> Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>. </p> </div> </div> </div></body> </html>