BIND 9.6.2 Release Candidate 1 is now available.
BIND 9.6.2rc1 is a maintenance release candidate for BIND 9.6.
BIND 9.6.2rc1 can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz
The PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/bind-9.6.2rc1.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at <http://www.isc.org/files/pgpkey2009.txt>.
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip
The PGP signature of the binary kit is at
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.6.2rc1/BIND9.6.2rc1.debug.zip.sha512.asc
Changes since 9.6.0:
--- 9.6.2rc1 released ---
2838. [func] Backport support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512, from BIND 9.7. (This
incorporates changes 2726 and 2738 from that
release branch.) [RT #20871]
2837. [port] Prevent Linux spurious warnings about fwrite().
[RT #20812]
2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that
was in the process of being created was not properly
recorded in the zone. [RT #20786]
2823. [bug] rbtdb.c:getsigningtime() was missing locks. [RT #20781]
2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define
[RT #20771]
2818. [cleanup] rndc could return an incorrect error code
when a zone was not found. [RT #20767]
2815. [bug] Exclusively lock the task when freezing a zone.
[RT #19838]
2814. [func] Provide a definitive error message when a master
zone is not loaded. [RT #20757]
--- 9.6.2b1 released ---
2797. [bug] Don't decrement the dispatch manager's maxbuffers.
[RT #20613]
2790. [bug] Handle DS queries to stub zones. [RT #20440]
2789. [bug] Fixed an INSIST in dispatch.c [RT #20576]
2786. [bug] Additional could be promoted to answer. [RT #20663]
2784. [bug] TC was not always being set when required glue was
dropped. [RT #20655]
2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
buffer size of 512 or less. [RT #20654]
2782. [port] win32: use getaddrinfo() for hostname lookups.
[RT #20650]
2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
2765. [bug] Skip masters for which the TSIG key cannot be found.
[RT #20595]
2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2759. [doc] Add information about .jbk/.jnw files to
the ARM. [RT #20303]
2758. [bug] win32: Added a workaround for a windows 2008 bug
that could cause the UDP client handler to shut
down. [RT #19176]
2757. [bug] dig: assertion failure could occur in connect
timeout. [RT #20599]
2755. [doc] Clarify documentation of keyset- files in
dnssec-signzone man page. [RT #19810]
2754. [bug] Secure-to-insecure transitions failed when zone
was signed with NSEC3. [RT #20587]
2750. [bug] dig: assertion failure could occur when a server
didn't have an address. [RT #20579]
2749. [bug] ixfr-from-differences generated a non-minimal ixfr
for NSEC3 signed zones. [RT #20452]
2747. [bug] Journal roll forwards failed to set the re-signing
time of RRSIGs correctly. [RT #20541]
2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
for a insecure delegation.
2729. [func] When constructing a CNAME from a DNAME use the DNAME
TTL. [RT #20451]
2723. [bug] isc_base32_totext(), isc_base32hex_totext(), and
isc_base64_totext(), didn't always mark regions of
memory as fully consumed after conversion. [RT #20445]
2722. [bug] Ensure that the memory associated with the name of
a node in a rbt tree is not altered during the life
of the node. [RT #20431]
2721. [port] Have dst__entropy_status() prime the random number
generator. [RT #20369]
2718. [bug] The space calculations in opensslrsa_todns() were
incorrect. [RT #20394]
2716. [bug] nslookup debug mode didn't return the ttl. [RT #20414]
2715. [bug] Require OpenSSL support to be explicitly disabled.
[RT #20288]
2714. [port] aix/powerpc: 'asm("ics");' needs non standard assembler
flags.
2713. [bug] powerpc: atomic operations missing asm("ics") /
__isync() calls.
2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368]
2705. [bug] Reconcile the XML stats version number with a later
BIND9 release, by adding a "name" attribute to
"cache" elements and increasing the version number
to 2.2. (This is a minor version change, but may
affect XML parsers if they assume the cache element
doesn't take an attribute.)
2704. [bug] Serial of dynamic and stub zones could be inconsistent
with their SOA serial. [RT #19387]
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
supported TSIG key algorithm. [RT #18046]
2700. [doc] The match-mapped-addresses option is discouraged.
[RT #12252]
2699. [bug] Missing lock in rbtdb.c. [RT #20037]
2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
S_IFREG are defined after including <isc/stat.h>.
[RT #20309]
2696. [bug] named failed to successfully process some valid
acl constructs. [RT #20308]
2692. [port] win32: 32/64 bit cleanups. [RT #20335]
2690. [bug] win32: fix isc_thread_key_getspecific() prototype.
[RT #20315]
2689. [bug] Correctly handle snprintf result. [RT #20306]
2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
to decide to fetch the destination address. [RT #20305]
2686. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vice versa. [RT #20301]
2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
[RT #20246]
2681. [bug] IPSECKEY RR of gateway type 3 was not correctly
decoded. [RT #20269]
2678. [func] Treat DS queries as if "minimal-response yes;"
was set. [RT #20258]
2672. [bug] Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]
2670. [bug] Unexpected connect failures failed to log enough
information to be useful. [RT #20205]
2663. [func] win32: allow named to run as a service using
"NT AUTHORITY\LocalService" as the account. [RT #19977]
2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
returned a misleading error code when lwresd was
down. [RT #20028]
2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
creating lwres context. [RT #20029]
2659. [doc] Clarify dnssec-keygen doc: key name must match zone
name for DNSSEC keys. [RT #19938]
2656. [func] win32: add a "tools only" check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevant DLLs. [RT #19998]
2655. [doc] Document that key-directory does not affect
rndc.key. [RT #20155]
2653. [bug] Treat ENGINE_load_private_key() failures as key
not found rather than out of memory. [RT #18033]
2649. [bug] Set the domain for forward only zones. [RT #19944]
2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
2647. [bug] Remove unnecessary SOA updates when a new KSK is
added. [RT #19913]
2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]
2643. [bug] Stub zones interacted badly with NSEC3 support.
[RT #19777]
2642. [bug] nsupdate could dump core on solaris when reading
improperly formatted key files. [RT #20015]
2640. [security] A specially crafted update packet will cause named
to exit. [RT #20000]
2639. [bug] Silence compiler warnings in gssapi code. [RT #19954]
2637. [func] Rationalize dnssec-signzone's signwithkey() calling.
[RT #19959]
2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses.
[RT #19716]
2633. [bug] Handle 15 bit rand() functions. [RT #19783]
2632. [func] util/kit.sh: warn if documentation appears to be out of
date. [RT #19922]
2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865]
2623. [bug] Named started seaches for DS non-optimally. [RT #19915]
2621. [doc] Made copyright boilterplate consistent. [RT #19833]
2920. [bug] Delay thawing the zone until the reload of it has
completed successfully. [RT #19750]
2618. [bug] The sdb and sdlz db_interator_seek() methods could
loop infinitely. [RT #19847]
2617. [bug] ifconfig.sh failed to emit an error message when
run from the wrong location. [RT #19375]
2616. [bug] 'host' used the nameservers from resolv.conf even
when a explicit nameserver was specified. [RT #19852]
2615. [bug] "__attribute__((unused))" was in the wrong place
for ia64 gcc builds. [RT #19854]
2614. [port] win32: 'named -v' should automatically be executed
in the foreground. [RT #19844]
2613. [bug] Option argument validation was missing for
dnssec-dsfromkey. [RT #19828]
2610. [port] sunos: Change #2363 was not complete. [RT #19796]
2608. [func] Perform post signing verification checks in
dnssec-signzone. These can be disabled with -P.
The post sign verification test ensures that for each
algorithm in use there is at least one non revoked
self signed KSK key. That all revoked KSK keys are
self signed. That all records in the zone are signed
by the algorithm. [RT #19653]
2601. [doc] Mention file creation mode mask in the
named manual page.
2593. [bug] Improve a corner source of SERVFAILs [RT #19632]
2589. [bug] dns_db_unregister() failed to clear '*dbimp'.
[RT #19626]
2581. [contrib] dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
Requires MySQL 5.0.19 or later. [RT #19084]
2580. [bug] UpdateRej statistics counter could be incremented twice
for one rejection. [RT #19476]
2533. [doc] ARM: document @ (at-sign). [RT #17144]
2500. [contrib] contrib/sdb/pgsql/zonetodb.c called non-existent
function. [RT #18582]
--- 9.6.1 released ---
2607. [bug] named could incorrectly delete NSEC3 records for
empty nodes when processing a update request.
[RT #19749]
2606. [bug] "delegation-only" was not being accepted in
delegation-only type zones. [RT #19717]
2605. [bug] Accept DS responses from delegation only zones.
[RT # 19296]
2603. [port] win32: handle .exe extension of named-checkzone and
named-comilezone argv[0] names under windows.
[RT #19767]
2602. [port] win32: fix debugging command line build of libisccfg.
[RT #19767]
--- 9.6.1rc1 released ---
2599. [bug] Address rapid memory growth when validation fails.
[RT #19654]
2597. [bug] Handle a validation failure with a insecure delegation
from a NSEC3 signed master/slave zone. [RT #19464]
2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay
long, leading to inefficient memory usage or rejecting
newer cache entries in the worst case. [RT #19563]
2595. [bug] Fix unknown extended rcodes in dig. [RT #19625]
2592. [bug] Treat "any" as a type in nsupdate. [RT #19455]
2591. [bug] named could die when processing a update in
removed_orphaned_ds(). [RT #19507]
2588. [bug] SO_REUSEADDR could be set unconditionally after failure
of bind(2) call. This should be rare and mostly
harmless, but may cause interference with other
processes that happen to use the same port. [RT #19642]
2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB
or SDB. [RT #19577]
2585. [bug] Uninitialized socket name could be referenced via a
statistics channel, triggering an assertion failure in
XML rendering. [RT #19427]
2584. [bug] alpha: gcc optimization could break atomic operations.
[RT #19227]
2583. [port] netbsd: provide a control to not add the compile
date to the version string, -DNO_VERSION_DATE.
2582. [bug] Don't emit warning log message when we attempt to
remove non-existent journal. [RT #19516]
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479]
2578. [bug] Changed default sig-signing-type to 65534, because
65535 turns out to be reserved. [RT #19477]
2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash.
[RT #18837]
--- 9.6.1b1 released ---
2577. [doc] Clarified some statistics counters. [RT #19454]
2576. [bug] NSEC record were not being correctly signed when
a zone transitions from insecure to secure.
Handle such incorrectly signed zones. [RT #19114]
2574. [doc] Document nsupdate -g and -o. [RT #19351]
2573. [bug] Replacing a non-CNAME record with a CNAME record in a
single transaction in a signed zone failed. [RT #19397]
2568. [bug] Report when the write to indicate a otherwise
successful start fails. [RT #19360]
2567. [bug] dst__privstruct_writefile() could miss write errors.
write_public_key() could miss write errors.
dnssec-dsfromkey could miss write errors.
[RT #19360]
2564. [bug] Only take EDNS fallback steps when processing timeouts.
[RT #19405]
2563. [bug] Dig could leak a socket causing it to wait forever
to exit. [RT #19359]
2562. [doc] ARM: miscellaneous improvements, reorganization,
and some new content.
2561. [doc] Add isc-config.sh(1) man page. [RT #16378]
2560. [bug] Add #include <config.h> to iptable.c. [RT #18258]
2559. [bug] dnssec-dsfromkey could compute bad DS records when
reading from a K* files. [RT #19357]
2557. [cleanup] PCI compliance:
* new libisc log module file
* isc_dir_chroot() now also changes the working
directory to "/".
* additional INSISTs
* additional logging when files can't be removed.
2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the
error checks in the correct order resulting in the
wrong error code sometimes being returned. [RT #19249]
2554. [bug] Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297]
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291]
2552. [bug] zero-no-soa-ttl-cache was not being honoured.
[RT #19340]
2551. [bug] Potential Reference leak on return. [RT #19341]
2550. [bug] Check --with-openssl=<path> finds <openssl/opensslv.h>.
[RT #19343]
2549. [port] linux: define NR_OPEN if not currently defined.
[RT #19344]
2548. [bug] Install iterated_hash.h. [RT #19335]
2547. [bug] openssl_link.c:mem_realloc() could reference an
out-of-range area of the source buffer. New public
function isc_mem_reallocate() was introduced to address
this bug. [RT #19313]
2545. [doc] ARM: Legal hostname checking (check-names) is
for SRV RDATA too. [RT #19304]
2544. [cleanup] Removed unused structure members in adb.c. [RT #19225]
2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113]
2542. [doc] Update the description of dig +adflag. [RT #19290]
2541. [bug] Conditionally update dispatch manager statistics.
[RT #19247]
2539. [security] Update the interaction between recursion, allow-query,
allow-query-cache and allow-recursion. [RT #19198]
2538. [bug] cache/ADB memory could grow over max-cache-size,
especially with threads and smaller max-cache-size
values. [RT #19240]
2537. [experimental] Added more statistics counters including those on socket
I/O events and query RTT histograms. [RT #18802]
2536. [cleanup] Silence some warnings when -Werror=format-security is
specified. [RT #19083]
2535. [bug] dig +showsearch and +trace interacted badly. [RT #19091]
2532. [bug] dig: check the question section of the response to
see if it matches the asked question. [RT #18495]
2531. [bug] Change #2207 was incomplete. [RT #19098]
2530. [bug] named failed to reject insecure to secure transitions
via UPDATE. [RT #19101]
2529. [cleanup] Upgrade libtool to silence complaints from recent
version of autoconf. [RT #18657]
2528. [cleanup] Silence spurious configure warning about
--datarootdir [RT #19096]
2527. [bug] named could reuse cache on reload with
enabling/disabling validation. [RT #19119]
2525. [experimental] New logging category "query-errors" to provide detailed
internal information about query failures, especially
about server failures. [RT #19027]
2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129]
2523. [bug] Random type rdata freed by dns_nsec_typepresent().
[RT #19112]
2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
2521. [bug] Improve epoll cross compilation support. [RT #19047]
2519. [bug] dig/host with -4 or -6 didn't work if more than two
nameserver addresses of the excluded address family
preceded in resolv.conf. [RT #19081]
2517. [bug] dig +trace with -4 or -6 failed when it chose a
nameserver address of the excluded address type.
[RT #18843]
2516. [bug] glue sort for responses was performed even when not
needed. [RT #19039]
2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains
a nameserver of the excluded address family.
[RT #18848]
2511. [cleanup] dns_rdata_tofmttext() add const to linebreak.
[RT #18885]
2506. [port] solaris: Check at configure time if
hack_shutup_pthreadonceinit is needed. [RT #19037]
2505. [port] Treat amd64 similarly to x86_64 when determining
atomic operation support. [RT #19031]
2503. [port] linux: improve compatibility with Linux Standard
Base. [RT #18793]
2502. [cleanup] isc_radix: Improve compliance with coding style,
document function in <isc/radix.h>. [RT #18534]
--- 9.6.0 released ---
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
