1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
Release Notes for BIND Version 9.11.5-P4
Introduction
This document summarizes changes since the last production release on the
BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file
for a further list of bug fixes and other changes.
Download
The latest versions of BIND 9 software can always be found at http://
www.isc.org/downloads/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.
License Change
With the release of BIND 9.11.0, ISC changed to the open source license
for BIND from the ISC license to the Mozilla Public License (MPL 2.0).
The MPL-2.0 license requires that if you make changes to licensed software
(e.g. BIND) and distribute them outside your organization, that you
publish those changes under that same license. It does not require that
you publish or disclose anything other than the changes you made to our
software.
This requirement will not affect anyone who is using BIND, with or without
modifications, without redistributing it, nor anyone redistributing it
without changes. Therefore, this change will be without consequence for
most individuals and organizations who are using BIND.
Those unsure whether or not the license change affects their use of BIND,
or who wish to discuss how to comply with the license may contact ISC at
https://www.isc.org/mission/contact/.
Legacy Windows No Longer Supported
As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
platforms for BIND; "XP" binaries are no longer available for download
from ISC.
Security Fixes
* named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in
CVE-2018-5740. [GL #387]
* When recursion is enabled but the allow-recursion and
allow-query-cache ACLs are not specified, they should be limited to
local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries. This flaw is disclosed in
CVE-2018-5738. [GL #309]
* Code change #4964, intended to prevent double signatures when deleting
an inactive zone DNSKEY in some situations, introduced a new problem
during zone processing in which some delegation glue RRsets are
incorrectly identified as needing RRSIGs, which are then created for
them using the current active ZSK for the zone. In some, but not all
cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
chain, but incompletely -- this can result in a broken chain,
affecting validation of proof of nonexistence for records in the zone.
[GL #771]
* named could crash if it managed a DNSSEC security root with
managed-keys and the authoritative zone rolled the key to an algorithm
not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
#780]
* named leaked memory when processing a request with multiple Key Tag
EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
bringing this to our attention. This flaw is disclosed in
CVE-2018-5744. [GL #772]
* Zone transfer controls for writable DLZ zones were not effective as
the allowzonexfr method was not being called for such zones. This flaw
is disclosed in CVE-2019-6465. [GL #790]
New Features
* named now supports the "root key sentinel" mechanism. This enables
validating resolvers to indicate which trust anchors are configured
for the root, so that information about root key rollover status can
be gathered. To disable this feature, add root-key-sentinel no; to
named.conf.
* Added the ability not to return a DNS COOKIE option when one is
present in the request. To prevent a cookie being returned, add
answer-cookie no; to named.conf. [GL #173]
answer-cookie no is only intended as a temporary measure, for use when
named shares an IP address with other servers that do not yet support
DNS COOKIE. A mismatch between servers on the same address is not
expected to cause operational problems, but the option to disable
COOKIE responses so that all servers have the same behavior is
provided out of an abundance of caution. DNS COOKIE is an important
security mechanism, and should not be disabled unless absolutely
necessary.
* Two new update policy rule types have been added krb5-selfsub and
ms-selfsub which allow machines with Kerberos principals to update the
name space at or below the machine names identified in the respective
principals.
Removed Features
* named will now log a warning if the old BIND now can be compiled
against libidn2 library to add IDNA2008 support. Previously BIND only
supported IDNA2003 using (now obsolete) idnkit-1 library.
Feature Changes
* dig +noidnin can be used to disable IDN processing on the input domain
name, when BIND is compiled with IDN support.
* Multiple cookie-secret clause are now supported. The first
cookie-secret in named.conf is used to generate new server cookies.
Any others are used to accept old server cookies or those generated by
other servers using the matching cookie-secret.
* The rndc nta command could not differentiate between views of the same
name but different class; this has been corrected with the addition of
a -class option. [GL #105]
Bug Fixes
* When a negative trust anchor was added to multiple views using rndc
nta, the text returned via rndc was incorrectly truncated after the
first line, making it appear that only one NTA had been added. This
has been fixed. [GL #105]
* named now rejects excessively large incremental (IXFR) zone transfers
in order to prevent possible corruption of journal files which could
cause named to abort when loading zones. [GL #339]
* rndc reload could cause named to leak memory if it was invoked before
the zone loading actions from a previous rndc reload command were
completed. [RT #47076]
End of Life
BIND 9.11 (Extended Support Version) will be supported until at least
December, 2021. See https://www.isc.org/downloads/software-support-policy/
for details of ISC's software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible. If
you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at http://
www.isc.org/donate/.
|
