summaryrefslogtreecommitdiffstats
path: root/doc/arm/notes.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/arm/notes.html')
-rw-r--r--doc/arm/notes.html291
1 files changed, 291 insertions, 0 deletions
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
new file mode 100644
index 0000000..78cc2e2
--- /dev/null
+++ b/doc/arm/notes.html
@@ -0,0 +1,291 @@
+<!--
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title></title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article">
+
+ <div class="section">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.5-P4</h2></div></div></div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_intro"></a>Introduction</h3></div></div></div>
+ <p>
+ This document summarizes changes since the last production
+ release on the BIND 9.11 (Extended Support Version) branch.
+ Please see the <code class="filename">CHANGES</code> file for a further
+ list of bug fixes and other changes.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_download"></a>Download</h3></div></div></div>
+ <p>
+ The latest versions of BIND 9 software can always be found at
+ <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_license"></a>License Change</h3></div></div></div>
+ <p>
+ With the release of BIND 9.11.0, ISC changed to the open
+ source license for BIND from the ISC license to the Mozilla
+ Public License (MPL 2.0).
+ </p>
+ <p>
+ The MPL-2.0 license requires that if you make changes to
+ licensed software (e.g. BIND) and distribute them outside
+ your organization, that you publish those changes under that
+ same license. It does not require that you publish or disclose
+ anything other than the changes you made to our software.
+ </p>
+ <p>
+ This requirement will not affect anyone who is using BIND, with
+ or without modifications, without redistributing it, nor anyone
+ redistributing it without changes. Therefore, this change will be
+ without consequence for most individuals and organizations who are
+ using BIND.
+ </p>
+ <p>
+ Those unsure whether or not the license change affects their
+ use of BIND, or who wish to discuss how to comply with the
+ license may contact ISC at <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+ https://www.isc.org/mission/contact/</a>.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="win_support"></a>Legacy Windows No Longer Supported</h3></div></div></div>
+ <p>
+ As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
+ platforms for BIND; "XP" binaries are no longer available for download
+ from ISC.
+ </p>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash during recursive processing
+ of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
+ in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
+ and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
+ should be limited to local networks, but they were inadvertently set
+ to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
+ remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Code change #4964, intended to prevent double signatures
+ when deleting an inactive zone DNSKEY in some situations,
+ introduced a new problem during zone processing in which
+ some delegation glue RRsets are incorrectly identified
+ as needing RRSIGs, which are then created for them using
+ the current active ZSK for the zone. In some, but not all
+ cases, the newly-signed RRsets are added to the zone's
+ NSEC/NSEC3 chain, but incompletely -- this can result in
+ a broken chain, affecting validation of proof of nonexistence
+ for records in the zone. [GL #771]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
+ security root with <span class="command"><strong>managed-keys</strong></span> and the
+ authoritative zone rolled the key to an algorithm not supported
+ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> leaked memory when processing a
+ request with multiple Key Tag EDNS options present. ISC
+ would like to thank Toshifumi Sakaguchi for bringing this
+ to our attention. This flaw is disclosed in CVE-2018-5744.
+ [GL #772]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Zone transfer controls for writable DLZ zones were not
+ effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
+ not being called for such zones. This flaw is disclosed in
+ CVE-2019-6465. [GL #790]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
+ mechanism. This enables validating resolvers to indicate
+ which trust anchors are configured for the root, so that
+ information about root key rollover status can be gathered.
+ To disable this feature, add
+ <span class="command"><strong>root-key-sentinel no;</strong></span> to
+ <code class="filename">named.conf</code>.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Added the ability not to return a DNS COOKIE option when one
+ is present in the request. To prevent a cookie being returned,
+ add <span class="command"><strong>answer-cookie no;</strong></span> to
+ <code class="filename">named.conf</code>. [GL #173]
+ </p>
+ <p>
+ <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
+ temporary measure, for use when <span class="command"><strong>named</strong></span>
+ shares an IP address with other servers that do not yet
+ support DNS COOKIE. A mismatch between servers on the
+ same address is not expected to cause operational problems,
+ but the option to disable COOKIE responses so that all
+ servers have the same behavior is provided out of an
+ abundance of caution. DNS COOKIE is an important security
+ mechanism, and should not be disabled unless absolutely
+ necessary.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Two new update policy rule types have been added
+ <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
+ which allow machines with Kerberos principals to update
+ the name space at or below the machine names identified
+ in the respective principals.
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> will now log a warning if the old
+ BIND now can be compiled against libidn2 library to add
+ IDNA2008 support. Previously BIND only supported IDNA2003
+ using (now obsolete) idnkit-1 library.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
+ processing on the input domain name, when BIND is compiled
+ with IDN support.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
+ supported. The first <span class="command"><strong>cookie-secret</strong></span> in
+ <code class="filename">named.conf</code> is used to generate new
+ server cookies. Any others are used to accept old server
+ cookies or those generated by other servers using the
+ matching <span class="command"><strong>cookie-secret</strong></span>.
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
+ between views of the same name but different class; this
+ has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
+ option. [GL #105]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ When a negative trust anchor was added to multiple views
+ using <span class="command"><strong>rndc nta</strong></span>, the text returned via
+ <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
+ first line, making it appear that only one NTA had been
+ added. This has been fixed. [GL #105]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>named</strong></span> now rejects excessively large
+ incremental (IXFR) zone transfers in order to prevent
+ possible corruption of journal files which could cause
+ <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
+ to leak memory if it was invoked before the zone loading actions
+ from a previous <span class="command"><strong>rndc reload</strong></span> command were
+ completed. [RT #47076]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="end_of_life"></a>End of Life</h3></div></div></div>
+ <p>
+ BIND 9.11 (Extended Support Version) will be supported until at
+ least December, 2021.
+ See <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a> for details of ISC's software support policy.
+ </p>
+ </div>
+ <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
+
+ <p>
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+ </p>
+ </div>
+</div>
+</div></body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-28 06:20:31 +0000