Appendix A. Release Notes
+Prev		Next +

+Release Notes

Table of Contents

Release Notes for BIND Version 9.11.5-P4

Introduction
Download
License Change
Legacy Windows No Longer Supported
Security Fixes
New Features
Removed Features
Feature Changes
Bug Fixes
End of Life
Thank You

+Release Notes for BIND Version 9.11.5-P4

+ +

+Introduction

+ This document summarizes changes since the last production + release on the BIND 9.11 (Extended Support Version) branch. + Please see the CHANGES file for a further + list of bug fixes and other changes. +

+ +

+Download

+ The latest versions of BIND 9 software can always be found at + http://www.isc.org/downloads/. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. +

+ +

+License Change

+ With the release of BIND 9.11.0, ISC changed to the open + source license for BIND from the ISC license to the Mozilla + Public License (MPL 2.0). +

+ The MPL-2.0 license requires that if you make changes to + licensed software (e.g. BIND) and distribute them outside + your organization, that you publish those changes under that + same license. It does not require that you publish or disclose + anything other than the changes you made to our software. +

+ This requirement will not affect anyone who is using BIND, with + or without modifications, without redistributing it, nor anyone + redistributing it without changes. Therefore, this change will be + without consequence for most individuals and organizations who are + using BIND. +

+ Those unsure whether or not the license change affects their + use of BIND, or who wish to discuss how to comply with the + license may contact ISC at + https://www.isc.org/mission/contact/. +

+ +

+Legacy Windows No Longer Supported

+ As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported + platforms for BIND; "XP" binaries are no longer available for download + from ISC. +

+ +

+Security Fixes

+
+ named could crash during recursive processing + of DNAME records when deny-answer-aliases was + in use. This flaw is disclosed in CVE-2018-5740. [GL #387] +
+
+
+ When recursion is enabled but the allow-recursion + and allow-query-cache ACLs are not specified, they + should be limited to local networks, but they were inadvertently set + to match the default allow-query, thus allowing + remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] +
+
+
+ Code change #4964, intended to prevent double signatures + when deleting an inactive zone DNSKEY in some situations, + introduced a new problem during zone processing in which + some delegation glue RRsets are incorrectly identified + as needing RRSIGs, which are then created for them using + the current active ZSK for the zone. In some, but not all + cases, the newly-signed RRsets are added to the zone's + NSEC/NSEC3 chain, but incompletely -- this can result in + a broken chain, affecting validation of proof of nonexistence + for records in the zone. [GL #771] +
+
+
+ named could crash if it managed a DNSSEC + security root with managed-keys and the + authoritative zone rolled the key to an algorithm not supported + by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] +
+
+
+ named leaked memory when processing a + request with multiple Key Tag EDNS options present. ISC + would like to thank Toshifumi Sakaguchi for bringing this + to our attention. This flaw is disclosed in CVE-2018-5744. + [GL #772] +
+
+
+ Zone transfer controls for writable DLZ zones were not + effective as the allowzonexfr method was + not being called for such zones. This flaw is disclosed in + CVE-2019-6465. [GL #790] +
+

+ +

+New Features

+
+ named now supports the "root key sentinel" + mechanism. This enables validating resolvers to indicate + which trust anchors are configured for the root, so that + information about root key rollover status can be gathered. + To disable this feature, add + root-key-sentinel no; to + named.conf. +
+
+
+ Added the ability not to return a DNS COOKIE option when one + is present in the request. To prevent a cookie being returned, + add answer-cookie no; to + named.conf. [GL #173] +
+
+ answer-cookie no is only intended as a + temporary measure, for use when named + shares an IP address with other servers that do not yet + support DNS COOKIE. A mismatch between servers on the + same address is not expected to cause operational problems, + but the option to disable COOKIE responses so that all + servers have the same behavior is provided out of an + abundance of caution. DNS COOKIE is an important security + mechanism, and should not be disabled unless absolutely + necessary. +
+
+
+ Two new update policy rule types have been added + krb5-selfsub and ms-selfsub + which allow machines with Kerberos principals to update + the name space at or below the machine names identified + in the respective principals. +
+

+ +

+Removed Features

+
+ named will now log a warning if the old + BIND now can be compiled against libidn2 library to add + IDNA2008 support. Previously BIND only supported IDNA2003 + using (now obsolete) idnkit-1 library. +
+

+ +

+Feature Changes

+
+ dig +noidnin can be used to disable IDN + processing on the input domain name, when BIND is compiled + with IDN support. +
+
+
+ Multiple cookie-secret clause are now + supported. The first cookie-secret in + named.conf is used to generate new + server cookies. Any others are used to accept old server + cookies or those generated by other servers using the + matching cookie-secret. +
+
+
+ The rndc nta command could not differentiate + between views of the same name but different class; this + has been corrected with the addition of a -class + option. [GL #105] +
+

+ +

+Bug Fixes

+
+ When a negative trust anchor was added to multiple views + using rndc nta, the text returned via + rndc was incorrectly truncated after the + first line, making it appear that only one NTA had been + added. This has been fixed. [GL #105] +
+
+
+ named now rejects excessively large + incremental (IXFR) zone transfers in order to prevent + possible corruption of journal files which could cause + named to abort when loading zones. [GL #339] +
+
+
+ rndc reload could cause named + to leak memory if it was invoked before the zone loading actions + from a previous rndc reload command were + completed. [RT #47076] +
+

+ +

+End of Life

+ BIND 9.11 (Extended Support Version) will be supported until at + least December, 2021. + See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy. +

+Thank You

+ +

+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/donate/. +

+Prev		Next +
Chapter 8. Troubleshooting	Home	Appendix B. A Brief History of the DNS and BIND +