diff options
Diffstat (limited to 'doc/arm/notes.xml')
| -rw-r--r-- | doc/arm/notes.xml | 271 |
1 files changed, 271 insertions, 0 deletions
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml new file mode 100644 index 0000000..029d9ef --- /dev/null +++ b/doc/arm/notes.xml @@ -0,0 +1,271 @@ +<!DOCTYPE book [ +<!ENTITY Scaron "Š"> +<!ENTITY ccaron "č"> +<!ENTITY aacute "á"> +<!ENTITY mdash "—"> +<!ENTITY ouml "ö">]> +<!-- + - Copyright (C) Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. + - + - See the COPYRIGHT file distributed with this work for additional + - information regarding copyright ownership. +--> + +<section xmlns:db="http://docbook.org/ns/docbook" version="5.0"><info/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/> + <section xml:id="relnotes_intro"><info><title>Introduction</title></info> + <para> + This document summarizes changes since the last production + release on the BIND 9.11 (Extended Support Version) branch. + Please see the <filename>CHANGES</filename> file for a further + list of bug fixes and other changes. + </para> + </section> + + <section xml:id="relnotes_download"><info><title>Download</title></info> + <para> + The latest versions of BIND 9 software can always be found at + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. + </para> + </section> + + <section xml:id="relnotes_license"><info><title>License Change</title></info> + <para> + With the release of BIND 9.11.0, ISC changed to the open + source license for BIND from the ISC license to the Mozilla + Public License (MPL 2.0). + </para> + <para> + The MPL-2.0 license requires that if you make changes to + licensed software (e.g. BIND) and distribute them outside + your organization, that you publish those changes under that + same license. It does not require that you publish or disclose + anything other than the changes you made to our software. + </para> + <para> + This requirement will not affect anyone who is using BIND, with + or without modifications, without redistributing it, nor anyone + redistributing it without changes. Therefore, this change will be + without consequence for most individuals and organizations who are + using BIND. + </para> + <para> + Those unsure whether or not the license change affects their + use of BIND, or who wish to discuss how to comply with the + license may contact ISC at <link + xmlns:xlink="http://www.w3.org/1999/xlink" + xlink:href="https://www.isc.org/mission/contact/"> + https://www.isc.org/mission/contact/</link>. + </para> + </section> + + <section xml:id="win_support"><info><title>Legacy Windows No Longer Supported</title></info> + <para> + As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported + platforms for BIND; "XP" binaries are no longer available for download + from ISC. + </para> + </section> + + <section xml:id="relnotes_security"><info><title>Security Fixes</title></info> + <itemizedlist> + <listitem> + <para> + <command>named</command> could crash during recursive processing + of DNAME records when <command>deny-answer-aliases</command> was + in use. This flaw is disclosed in CVE-2018-5740. [GL #387] + </para> + </listitem> + <listitem> + <para> + When recursion is enabled but the <command>allow-recursion</command> + and <command>allow-query-cache</command> ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default <command>allow-query</command>, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] + </para> + </listitem> + <listitem> + <para> + Code change #4964, intended to prevent double signatures + when deleting an inactive zone DNSKEY in some situations, + introduced a new problem during zone processing in which + some delegation glue RRsets are incorrectly identified + as needing RRSIGs, which are then created for them using + the current active ZSK for the zone. In some, but not all + cases, the newly-signed RRsets are added to the zone's + NSEC/NSEC3 chain, but incompletely -- this can result in + a broken chain, affecting validation of proof of nonexistence + for records in the zone. [GL #771] + </para> + </listitem> + <listitem> + <para> + <command>named</command> could crash if it managed a DNSSEC + security root with <command>managed-keys</command> and the + authoritative zone rolled the key to an algorithm not supported + by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] + </para> + </listitem> + <listitem> + <para> + <command>named</command> leaked memory when processing a + request with multiple Key Tag EDNS options present. ISC + would like to thank Toshifumi Sakaguchi for bringing this + to our attention. This flaw is disclosed in CVE-2018-5744. + [GL #772] + </para> + </listitem> + <listitem> + <para> + Zone transfer controls for writable DLZ zones were not + effective as the <command>allowzonexfr</command> method was + not being called for such zones. This flaw is disclosed in + CVE-2019-6465. [GL #790] + </para> + </listitem> + </itemizedlist> + </section> + + <section xml:id="relnotes_features"><info><title>New Features</title></info> + <itemizedlist> + <listitem> + <para> + <command>named</command> now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + <command>root-key-sentinel no;</command> to + <filename>named.conf</filename>. + </para> + </listitem> + <listitem> + <para> + Added the ability not to return a DNS COOKIE option when one + is present in the request. To prevent a cookie being returned, + add <command>answer-cookie no;</command> to + <filename>named.conf</filename>. [GL #173] + </para> + <para> + <command>answer-cookie no</command> is only intended as a + temporary measure, for use when <command>named</command> + shares an IP address with other servers that do not yet + support DNS COOKIE. A mismatch between servers on the + same address is not expected to cause operational problems, + but the option to disable COOKIE responses so that all + servers have the same behavior is provided out of an + abundance of caution. DNS COOKIE is an important security + mechanism, and should not be disabled unless absolutely + necessary. + </para> + </listitem> + <listitem> + <para> + Two new update policy rule types have been added + <command>krb5-selfsub</command> and <command>ms-selfsub</command> + which allow machines with Kerberos principals to update + the name space at or below the machine names identified + in the respective principals. + </para> + </listitem> + </itemizedlist> + </section> + + <section xml:id="relnotes_removed"><info><title>Removed Features</title></info> + <itemizedlist> + <listitem> + <para> + <command>named</command> will now log a warning if the old + BIND now can be compiled against libidn2 library to add + IDNA2008 support. Previously BIND only supported IDNA2003 + using (now obsolete) idnkit-1 library. + </para> + </listitem> + </itemizedlist> + </section> + + <section xml:id="relnotes_changes"><info><title>Feature Changes</title></info> + <itemizedlist> + <listitem> + <para> + <command>dig +noidnin</command> can be used to disable IDN + processing on the input domain name, when BIND is compiled + with IDN support. + </para> + </listitem> + <listitem> + <para> + Multiple <command>cookie-secret</command> clause are now + supported. The first <command>cookie-secret</command> in + <filename>named.conf</filename> is used to generate new + server cookies. Any others are used to accept old server + cookies or those generated by other servers using the + matching <command>cookie-secret</command>. + </para> + </listitem> + <listitem> + <para> + The <command>rndc nta</command> command could not differentiate + between views of the same name but different class; this + has been corrected with the addition of a <command>-class</command> + option. [GL #105] + </para> + </listitem> + </itemizedlist> + </section> + + <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info> + <itemizedlist> + <listitem> + <para> + When a negative trust anchor was added to multiple views + using <command>rndc nta</command>, the text returned via + <command>rndc</command> was incorrectly truncated after the + first line, making it appear that only one NTA had been + added. This has been fixed. [GL #105] + </para> + </listitem> + <listitem> + <para> + <command>named</command> now rejects excessively large + incremental (IXFR) zone transfers in order to prevent + possible corruption of journal files which could cause + <command>named</command> to abort when loading zones. [GL #339] + </para> + </listitem> + <listitem> + <para> + <command>rndc reload</command> could cause <command>named</command> + to leak memory if it was invoked before the zone loading actions + from a previous <command>rndc reload</command> command were + completed. [RT #47076] + </para> + </listitem> + </itemizedlist> + </section> + + <section xml:id="end_of_life"><info><title>End of Life</title></info> + <para> + BIND 9.11 (Extended Support Version) will be supported until at + least December, 2021. + See <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://www.isc.org/downloads/software-support-policy/">https://www.isc.org/downloads/software-support-policy/</link> for details of ISC's software support policy. + </para> + </section> + <section xml:id="relnotes_thanks"><info><title>Thank You</title></info> + + <para> + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/donate/">http://www.isc.org/donate/</link>. + </para> + </section> +</section> |