BIND 9.7.2-P2

Changes since 9.6.1-P2:

2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

---

Downloads (~6,3 Mb)_ftp://ftp.isc.org/is....6.1-P3.tar.gz

2849. [bug] Don't treat errors from the xml2 library as fatal.
[RT #20945]

2848. [doc] Moved README.dnssec, README.libdns, README.pkcs11 and
README.rfc5011 into the ARM. [RT #20899]

2847. [cleanup] Corrected usage message in dnssec-settime. [RT #20921]

2846. [bug] EOF on unix domain sockets was not being handled
correctly. [RT #20731]

2845. [bug] RFC 5011 client could crash on shutdown. [RT #20903]

2844. [doc] notify-delay default in ARM was wrong. It should have
been five (5) seconds.

2843. [func] Prevent dnssec-keygen and dnssec-keyfromlabel from
creating key files if there is a chance that the new
key ID will collide with an existing one after
either of the keys has been revoked. (To override
this in the case of dnssec-keyfromlabel, use the -y
option. dnssec-keygen will simply create a
different, noncolliding key, so an override is
not necessary.) [RT #20838]

2842. [func] Added "smartsign" and improved "autosign" and
"dnssec" regression tests. [RT #20865]

2841. [bug] Change 2836 was not complete. [RT #20883]

2840. [bug] Temporary fixed pkcs11-destroy usage check.
[RT #20760]

2839. [bug] A KSK revoked by named could not be deleted.
[RT #20881]

2838. [placeholder]

2837. [port] Prevent Linux spurious warnings about fwrite().
[RT #20812]

2836. [bug] Keys that were scheduled to become active could
be delayed. [RT #20874]

2835. [bug] Key inactivity dates were inadvertently stored in
the private key file with the outdated tag
"Unpublish" rather than "Inactive". This has been
fixed; however, any existing keys that had Inactive
dates set will now need to have them reset, using
'dnssec-settime -I'. [RT #20868]

2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]

2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
[RT #20851]

2832. [bug] Modify "struct stat" in lib/export/samples/nsprobe.c
to avoid redefinition in some OSes [RT 20831]

2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]

2830. [bug] Changing the OPTOUT setting could take multiple
passes. [RT #20813]

2829. [bug] Fixed potential node inconsistency in rbtdb.c.
[RT #20808]

2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
being released. [RT #20740]

2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]

2824. [bug] "rndc sign" was not being run by the correct task.
[RT #20759]

2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]

2822. [bug] rbtdb.c:loadnode() could return the wrong result.
[RT #20802]

2821. [doc] Add note that named-checkconf doesn't automatically
read rndc.key and bind.keys [RT #20758]

2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define.
[RT #20771]

2818. [cleanup] rndc could return an incorrect error code
when a zone was not found. [RT #20767]

2817. [cleanup] Removed unnecessary isc_tasc_endexclusive() calls.
[RT #20768]

2816. [bug] previous_closest_nsec() could fail to return
data for NSEC3 nodes [RT #29730]

2815. [bug] Exclusively lock the task when freezing a zone.
[RT #19838]

2814. [func] Provide a definitive error message when a master
zone is not loaded. [RT #20757]

2813. [bug] Better handling of unreadable DNSSEC key files.
[RT #20710]

2812. [bug] Make sure updates can't result in a zone with
NSEC-only keys and NSEC3 records. [RT 20748]

2811. [cleanup] Add "rndc sign" to list of commands in rndc usage
output. [RT #20733]

2810. [doc] Clarified the process of transitioning an NSEC3 zone
to insecure. [RT #20746]

2809. [cleanup] Restored accidentally-deleted text in usage output
in dnssec-settime and dnssec-revoke [RT #20739]

2808. [bug] Remove the attempt to install atomic.h from lib/isc.
atomic.h is correctly installed by the architecture
specific subdirectories. [RT #20722]

2807. [bug] Fixed a possible ASSERT when reconfiguring zone
keys. [RT #20720]

2806. [bug] "rdnc sign" could delay re-signing the DNSKEY
when it had changed. [RT #20703]

2805. [bug] Fixed namespace problems encountered when building
external programs using non-exported BIND9 libraries
(i.e., built without --enable-exportlib). [RT #20679]

2804. [bug] Send notifies when a zone is signed with "rndc sign"
or as a result of a scheduled key change. [RT #20700]

2803. [port] win32: Install named-journalprint, nsec3hash, arpaname
and genrandom under windows. [RT #20670]

2802. [cleanup] Rename journalprint to named-journalprint. [RT #20670]

2801. [func] Detect and report records that are different according
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.

named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)

named.conf: check-dup-records {ignore|warn|fail};

2800. [func] Reject zones which have NS records which refer to
CNAMEs, DNAMEs or don't have address record (class IN
only). Reject UPDATEs which would cause the zone
to fail the above checks if committed. [RT #20678]

2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586]

2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]

2797. [bug] Don't decrement the dispatch manager's maxbuffers.
[RT #20613]

2796. [bug] Missing dns_rdataset_disassociate() call in
dns_nsec3_delnsec3sx(). [RT #20681]

2795. [cleanup] Add text to differentiate "update with no effect"
log messages. [RT #18889]

2794. [bug] Install . [RT #20677]

2793. [func] Add "autosign" and "metadata" tests to the
automatic tests. [RT #19946]

2792. [func] "filter-aaaa-on-v4" can now be set in view
options (if compiled in). [RT #20635]

2791. [bug] The installation of isc-config.sh was broken.
[RT #20667]

2790. [bug] Handle DS queries to stub zones. [RT #20440]

2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]

2788. [bug] dnssec-signzone could sign with keys that were
not requested [RT #20625]

2787. [bug] Spurious log message when zone keys were
dynamically reconfigured. [RT #20659]

2786. [bug] Additional could be promoted to answer. [RT #20663]

---

Downloads (~6,8 Mb)_ftp://ftp.isc.org/is...d-9.7.0.tar.gz

Some of the important features of BIND 9 are:

• DNS Security
  • DNSSEC (signed zones)
  • TSIG (signed DNS requests)
• IP version 6
  • Answers DNS queries on IPv6 sockets
  • IPv6 resource records (AAAA, DNAME, etc.)
  • Experimental IPv6 Resolver Library
• DNS Protocol Enhancements
  • IXFR, DDNS, Notify, EDNS0
  • Improved standards conformance
  Views
  • One server process can provide multiple "views" of the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others.
• Multiprocessor Support
• Improved Portability Architecture

---

Downloads (~6,8 Mb)_ftp://ftp.isc.org/is....7.0-P1.tar.gz

Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131]

---

Downloads (~6,9 Mb)_ftp://ftp.isc.org/is....7.0-P2.tar.gz

2909. [bug] named-checkconf -p could die if "update-policy local;"
was specified in named.conf. [RT #21416]

2908. [bug] It was possible for re-signing to stop after removing
a DNSKEY. [RT #21384]

2907. [bug] The export version of libdns had undefined references.
[RT #21444]

2906. [bug] Address RFC 5011 implementation issues. [RT #20903]

2905. [port] aix: set use_atomic=yes with native compiler.
[RT #21402]

2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]

2903. [bug] managed-keys-directory missing from namedconf.c.
[RT #21370]

--- 9.7.1b1 released ---

2902. [func] Add regression test for change 2897. [RT #21040]

2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]

2900. [bug] The placeholder negative caching element was not
properly constructed triggering a INSIST in
dns_ncache_towire(). [RT #21346]

2899. [port] win32: Support linking against OpenSSL 1.0.0.

2898. [bug] nslookup leaked memory when -domain=value was
specified. [RT #21301]

2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]

2896. [bug] "rndc sign" failed to properly update the zone
when adding a DNSKEY for publication only. [RT #21045]

2895. [func] genrandom: add support for the generation of multiple
files. [RT #20917]

2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]

2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]

2892. [bug] Handle REVOKED keys better. [RT #20961]

2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]

2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]

2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]

2888. [bug] Only the first EDNS option was displayed. [RT #21273]

2887. [bug] Report the keytag times in UTC in the .key file,
local time is presented as a comment within the
comment. [RT #21223]

2886. [bug] ctime() is not thread safe. [RT #21223]

2885. [bug] Improve -fno-strict-aliasing support probing in
configure. [RT #21080]

2884. [bug] Insufficient valadation in dns_name_getlabelsequence().
[RT #21283]

2883. [bug] 'dig +short' failed to handle really large datasets.
[RT #21113]

2882. [bug] Remove memory context from list of active contexts
before clearing 'magic'. [RT #21274]

2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]

2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
consistent. [RT #21078]

2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
[RT #21106]

2878. [func] Incrementally write the master file after performing
a AXFR. [RT #21010]

2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]

2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]

2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]

2874. [bug] Cache lack of EDNS support only after the server
successfully responds to the query using plain DNS.
[RT #20930]

2873. [bug] Canceling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]

2872. [bug] Modify dns/client.c:dns_client_createx() to only
require one of IPv4 or IPv6 rather than both.
[RT #21122]

2871. [bug] Type mismatch in mem_api.c between the definition and
the header file, causing build failure with
--enable-exportlib. [RT #21138]

2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.

2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
[RT #20877]

2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]

2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
don't like it. [RT #20986]

2866. [bug] Windows does not like the TSIG name being compressed.
[RT #20986]

2865. [bug] memset to zero event.data. [RT #20986]

2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
[RT #21050]

2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
[RT #21056]

2862. [bug] nsupdate didn't default to the parent zone when
updating DS records. [RT #20896]

2861. [doc] dnssec-settime man pages didn't correctly document the
inactivation time. [RT #21039]

2860. [bug] named-checkconf's usage was out of date. [RT #21039]

2859. [bug] When cancelling validation it was possible to leak
memory. [RT #20800]

2858. [bug] RTT estimates were not being adjusted on ICMP errors.
[RT #20772]

2857. [bug] named-checkconf did not fail on a bad trusted key.
[RT #20705]

2856. [bug] The size of a memory allocation was not always properly
recorded. [RT #20927]

2853. [bug] add_sigs() could run out of scratch space. [RT #21015]

2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]

2851. [doc] nslookup.1, removed from the docbook
source as it produced bad nroff. [RT #21007]

2850. [bug] If isc_heap_insert() failed due to memory shortage
the heap would have corrupted entries. [RT #20951]

---

Downloads (~7,3 Mb)_ftp://ftp.isc.org/is...d-9.7.1.tar.gz

2931. [security] Temporarily and partially disable change 2864
because it would cause inifinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]

---

Downloads (~7,3 Mb)_ftp://ftp.isc.org/is....7.1-P2.tar.gz

New Features

* Zones may be dynamically added and removed with the “rndc addzone” and “rndc delzone” commands. These dynamically added zones are written to a per-view configuration file. Do not rely on the configuration file name nor contents as this will change in a future release. This is an experimental feature at this time.
* Added new “filter-aaaa-on-v4” access control list to select which IPv4 clients have AAAA record filtering applied.
* A new command “rndc secroots” was added to dump a combined summary of the currently managed keys combined with statically configured trust anchors.
* Added support to load new keys into managed zones without signing immediately with "rndc loadkeys". Added support to link keys with "dnssec-keygen -S" and "dnssec-settime -S".

Changes

* Documentation improvements
* ORCHID prefixes were removed from the automatic empty zone list.
* Improved handling of GSSAPI security contexts. Specifically, better memory management of cached contexts, limited lifetime of a context to 1 hour, and added a “realm” command to nsupdate to allow selection of a non-default realm name.
* The contributed tool “ztk” was updated to version 1.0.

Security Fixes

* If BIND, acting as a DNSSEC validating server, has two or more trust anchors configured in named.conf for the same zone (such as example.com) and the response for a record in that zone from the authoritative server includes a bad signature, the validating server will crash while trying to validate that query.
* A flaw where the wrong ACL was applied was fixed. This flaw allowed access to a cache via recursion even though the ACL disallowed it.

Bug Fixes

* Removed a warning message when running BIND 9 under Windows for when a TCP connection was aborted. This is a common occurrence and the warning was extraneous.
* Worked around a race condition in the cache database memory handling. Without this fix a DNS cache DB or ADB could incorrectly stay in an over memory state, effectively refusing further caching, which subsequently made a BIND 9 caching server unworkable.
* Partially disabled change 2864 because it would cause infinite attempts of RRSIG queries.
* BIND did not properly handle non-cacheable negative responses from insecure zones. This caused several non-protocol-compliant zones to become unresolvable. BIND is now more accepting of responses it receives from less strict servers.
* A bug, introduced in BIND 9.7.2, caused named to fail to start if a master zone file was unreadable or missing. This has been corrected in 9.7.2-P1.
* BIND previously accepted answers from authoritative servers that did not provide a "proper" response, such as not setting AA bit. BIND was changed to be more strict in what it accepted but this caused operational issues. This new strictness has been backed out in 9.7.2-P1.

---

[Downloads (~7,3 Mb)_ftp://ftp.isc.org/is....7.2-P2.tar.gz