1 __________________________________________________________________
5 BIND 9.7.2-P3 is a maintenance release for BIND 9.7.
7 This document summarizes changes from BIND 9.7.1 to BIND 9.7.2-P3.
8 Please see the CHANGES file in the source code release for a complete
13 The latest release of BIND 9 software can always be found on our web
14 site at http://www.isc.org/software/bind. There you will find
15 additional information about each release, source code, and some
16 pre-compiled versions for certain operating systems.
20 Product support information is available on
21 http://www.isc.org/services/support for paid support options. Free
22 support is provided by our user community via a mailing list.
23 Information on all public email lists is available at
24 https://lists.isc.org/mailman/listinfo.
30 * Zones may be dynamically added and removed with the "rndc addzone"
31 and "rndc delzone" commands. These dynamically added zones are
32 written to a per-view configuration file. Do not rely on the
33 configuration file name nor contents as this will change in a
34 future release. This is an experimental feature at this time.
35 * Added new "filter-aaaa-on-v4" access control list to select which
36 IPv4 clients have AAAA record filtering applied.
37 * A new command "rndc secroots" was added to dump a combined summary
38 of the currently managed keys combined with statically configured
40 * Added support to load new keys into managed zones without signing
41 immediately with "rndc loadkeys". Added support to link keys with
42 "dnssec-keygen -S" and "dnssec-settime -S".
60 * Documentation improvements
61 * ORCHID prefixes were removed from the automatic empty zone list.
62 * Improved handling of GSSAPI security contexts. Specifically, better
63 memory management of cached contexts, limited lifetime of a context
64 to 1 hour, and added a "realm" command to nsupdate to allow
65 selection of a non-default realm name.
66 * The contributed tool "zkt" was updated to version 1.0.
88 * If BIND, acting as a DNSSEC validating server, has two or more
89 trust anchors configured in named.conf for the same zone (such as
90 example.com) and the response for a record in that zone from the
91 authoritative server includes a bad signature, the validating
92 server will crash while trying to validate that query.
96 * A flaw where the wrong ACL was applied was fixed. This flaw allowed
97 access to a cache via recursion even though the ACL disallowed it.
101 * Adding a NO DATA signed negative response to cache failed to clear
102 any matching RRSIG records already in cache. A subsequent lookup of
103 the cached NO DATA entry could crash named (INSIST) when the
104 unexpected RRSIG was also returned with the NO DATA cache entry.
105 [RT #22288] [CVE-2010-3613] [VU#706148]
106 * BIND, acting as a DNSSEC validator, was determining if the NS RRset
107 is insecure based on a value that could mean either that the RRset
108 is actually insecure or that there wasn't a matching key for the
109 RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
110 RRset. This can happen when in the middle of a DNSKEY algorithm
111 rollover, when two different algorithms were used to sign a zone
112 but only the new set of keys are in the zone DNSKEY RRset. [RT
113 #22309] [CVE-2010-3614] [VU#837744]
114 * When BIND is running as an authoritative server for a zone and
115 receives a query for that zone data, it first checks for
116 allow-query acls in the zone statement, then in that view, then in
117 global options. If none of these exist, it defaults to allowing any
118 query (allow-query {"any"};).
119 With this bug, if the allow-query is not set in the zone statement,
120 it failed to check in view or global options and fell back to the
121 default of allowing any query. This means that queries that the
122 zone owner did not wish to allow were incorrectly allowed. [RT
123 #22418] [CVE-2010-3615] [VU#510208]
129 * Removed a warning message when running BIND 9 under Windows for
130 when a TCP connection was aborted. This is a common occurrence and
131 the warning was extraneous.
132 * Worked around a race condition in the cache database memory
133 handling. Without this fix a DNS cache DB or ADB could incorrectly
134 stay in an over memory state, effectively refusing further caching,
135 which subsequently made a BIND 9 caching server unworkable.
136 * Partially disabled change 2864 because it would cause infinite
137 attempts of RRSIG queries.
138 * BIND did not properly handle non-cacheable negative responses from
139 insecure zones. This caused several non-protocol-compliant zones to
140 become unresolvable. BIND is now more accepting of responses it
141 receives from less strict servers.
145 * A bug, introduced in BIND 9.7.2, caused named to fail to start if a
146 master zone file was unreadable or missing. This has been corrected
148 * BIND previously accepted answers from authoritative servers that
149 did not provide a "proper" response, such as not setting AA bit.
150 BIND was changed to be more strict in what it accepted but this
151 caused operational issues. This new strictness has been backed out
160 * Microsoft changed the behavior of sockets between NT/XP based
161 stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
162 behavior, 2008r2 has the new behavior. With the change, different
163 error results are possible, so ISC adapted BIND to handle the new
164 error results. This resolves an issue where sockets would shut down
165 on Windows servers causing named to stop responding to queries. [RT
167 * Windows has non-POSIX compliant behavior in its rename() and
168 unlink() calls. This caused journal compaction to fail on Windows
169 BIND servers with the log error: "dns_journal_compact failed:
170 failure". [RT #22434]
172 Known issues in this release
174 * "make test" will fail on OSX and possibly other operating systems.
175 The failure occurs in a new test to check for allow-query ACLs. The
176 failure is caused because the source address is not specified on
177 the dig commands issued in the test.
178 If running "make test" is part of your usual acceptance process,
179 please edit the file bin/tests/system/allow_query/test.sh and add
185 Thank you to everyone who assisted us in making this release possible.
186 If you would like to contribute to ISC to assist us in continuing to
187 make quality open source software, please visit our donations page at
188 http://www.isc.org/supportisc.