diff options
Diffstat (limited to 'doc/arm/notes.txt')
| -rw-r--r-- | doc/arm/notes.txt | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt new file mode 100644 index 0000000..3db2e78 --- /dev/null +++ b/doc/arm/notes.txt @@ -0,0 +1,150 @@ +Release Notes for BIND Version 9.11.5-P4 + +Introduction + +This document summarizes changes since the last production release on the +BIND 9.11 (Extended Support Version) branch. Please see the CHANGES file +for a further list of bug fixes and other changes. + +Download + +The latest versions of BIND 9 software can always be found at http:// +www.isc.org/downloads/. There you will find additional information about +each release, source code, and pre-compiled versions for Microsoft Windows +operating systems. + +License Change + +With the release of BIND 9.11.0, ISC changed to the open source license +for BIND from the ISC license to the Mozilla Public License (MPL 2.0). + +The MPL-2.0 license requires that if you make changes to licensed software +(e.g. BIND) and distribute them outside your organization, that you +publish those changes under that same license. It does not require that +you publish or disclose anything other than the changes you made to our +software. + +This requirement will not affect anyone who is using BIND, with or without +modifications, without redistributing it, nor anyone redistributing it +without changes. Therefore, this change will be without consequence for +most individuals and organizations who are using BIND. + +Those unsure whether or not the license change affects their use of BIND, +or who wish to discuss how to comply with the license may contact ISC at +https://www.isc.org/mission/contact/. + +Legacy Windows No Longer Supported + +As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported +platforms for BIND; "XP" binaries are no longer available for download +from ISC. + +Security Fixes + + * named could crash during recursive processing of DNAME records when + deny-answer-aliases was in use. This flaw is disclosed in + CVE-2018-5740. [GL #387] + + * When recursion is enabled but the allow-recursion and + allow-query-cache ACLs are not specified, they should be limited to + local networks, but they were inadvertently set to match the default + allow-query, thus allowing remote queries. This flaw is disclosed in + CVE-2018-5738. [GL #309] + + * Code change #4964, intended to prevent double signatures when deleting + an inactive zone DNSKEY in some situations, introduced a new problem + during zone processing in which some delegation glue RRsets are + incorrectly identified as needing RRSIGs, which are then created for + them using the current active ZSK for the zone. In some, but not all + cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 + chain, but incompletely -- this can result in a broken chain, + affecting validation of proof of nonexistence for records in the zone. + [GL #771] + + * named could crash if it managed a DNSSEC security root with + managed-keys and the authoritative zone rolled the key to an algorithm + not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL + #780] + + * named leaked memory when processing a request with multiple Key Tag + EDNS options present. ISC would like to thank Toshifumi Sakaguchi for + bringing this to our attention. This flaw is disclosed in + CVE-2018-5744. [GL #772] + + * Zone transfer controls for writable DLZ zones were not effective as + the allowzonexfr method was not being called for such zones. This flaw + is disclosed in CVE-2019-6465. [GL #790] + +New Features + + * named now supports the "root key sentinel" mechanism. This enables + validating resolvers to indicate which trust anchors are configured + for the root, so that information about root key rollover status can + be gathered. To disable this feature, add root-key-sentinel no; to + named.conf. + + * Added the ability not to return a DNS COOKIE option when one is + present in the request. To prevent a cookie being returned, add + answer-cookie no; to named.conf. [GL #173] + + answer-cookie no is only intended as a temporary measure, for use when + named shares an IP address with other servers that do not yet support + DNS COOKIE. A mismatch between servers on the same address is not + expected to cause operational problems, but the option to disable + COOKIE responses so that all servers have the same behavior is + provided out of an abundance of caution. DNS COOKIE is an important + security mechanism, and should not be disabled unless absolutely + necessary. + + * Two new update policy rule types have been added krb5-selfsub and + ms-selfsub which allow machines with Kerberos principals to update the + name space at or below the machine names identified in the respective + principals. + +Removed Features + + * named will now log a warning if the old BIND now can be compiled + against libidn2 library to add IDNA2008 support. Previously BIND only + supported IDNA2003 using (now obsolete) idnkit-1 library. + +Feature Changes + + * dig +noidnin can be used to disable IDN processing on the input domain + name, when BIND is compiled with IDN support. + + * Multiple cookie-secret clause are now supported. The first + cookie-secret in named.conf is used to generate new server cookies. + Any others are used to accept old server cookies or those generated by + other servers using the matching cookie-secret. + + * The rndc nta command could not differentiate between views of the same + name but different class; this has been corrected with the addition of + a -class option. [GL #105] + +Bug Fixes + + * When a negative trust anchor was added to multiple views using rndc + nta, the text returned via rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been added. This + has been fixed. [GL #105] + + * named now rejects excessively large incremental (IXFR) zone transfers + in order to prevent possible corruption of journal files which could + cause named to abort when loading zones. [GL #339] + + * rndc reload could cause named to leak memory if it was invoked before + the zone loading actions from a previous rndc reload command were + completed. [RT #47076] + +End of Life + +BIND 9.11 (Extended Support Version) will be supported until at least +December, 2021. See https://www.isc.org/downloads/software-support-policy/ +for details of ISC's software support policy. + +Thank You + +Thank you to everyone who assisted us in making this release possible. If +you would like to contribute to ISC to assist us in continuing to make +quality open source software, please visit our donations page at http:// +www.isc.org/donate/. |