BIND 9.8.2b1 is now available

Fri, 09 Dec 2011 14:13:32 -0800 

BIND 9.8.2b1 is now available.

BIND 9.8.2b1 is the first beta release of BIND 9.8.2.

   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download
        
   The latest versions of BIND 9 software can always be found on
   our web site at http://www.isc.org/downloads/all. There you will
   find additional information about each release, source code, and
   pre-compiled versions for Microsoft Windows operating systems.
        
Support
        
   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.
        
Security Fixes

-  BIND 9 nameservers performing recursive queries could cache an
   invalid record and subsequent queries for that record could crash
   the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313]

Feature Changes

-  It is now possible to explicitly disable DLV in named.conf by
   specifying "dnssec-lookaside no;". This is the default, but the
   ability to configure it makes it clearly visible to administrators.
   [RT #24858]

Bug Fixes

-  Fixed a corner case race condition in the validator that may
   cause an assert in a multi-threaded build of BIND.  [RT #26478]

-  Poor error handling could cause named to hang during shutdown.
   [RT #26372]

-  named now correctly validates DNSSEC positive wildcard responses
   from NSEC3 signed zones. [RT #26200]

-  Fixes a problem with the computation of tags for revoked keys.
   [RT #26186]

-  Corrects a problem with change #3186.  dns_db_rpz_findips() could
   fail to set the database version correctly, causing an assertion
   failure. [RT #26180]

-  Master servers that had previously been marked as unreachable
   because of failed zone transfer attempts will now be removed
   from the "unreachable" list (i.e. considered reachable again)
   if the slave receives a NOTIFY message from them. [RT #25960]

-  Fixes a bug in zone.c where failure to delete signatures could
   lead to an assertion failure and subsequent abort. [RT #25880]

-  Corrects a problem validating root DS responses. [RT #25726]

-  Fixes a problem whereby "rndc dumpdb" could cause an assertion
   failure and abort by attempting to print an empty rdataset [RT
   #25452]

-  The order in which we process the reactivation of a dead node
   in cache and the incrementing of its reference count created a
   small timing window during which an inconsistency could be
   detected and an assert occur in a multi-threaded environment.
   This should no longer occur.  [RT #23219]

-  'dig -y' would crash when passed an unknown TSIG algorithm. dig
   now handles unknown TSIG algorithms more gracefully. [RT #25522]

-  Servers that received negative responses from a forwarder were
   failing to cache the answers correctly, resulting in multiple
   queries for the same non-existent name being sent to the forwarders
   instead of answers being provided to clients from cache (until
   TTL expiry). [RT #25380]

-  Corrected a bug which could cause a slave server with
   "allow-update-forwarding" set to become unresponsive if the
   master it is trying to reach is off-line or unreachable. [RT
   #24711]

-  Socket errors during during recursion were sometimes not handled
   correctly which could lead to a named assert when an associated
   query structure was used after it had already been freed [RT
   #22208]

-  The logging level for DNSSEC validation failures due to expired
   or not-yet-valid RRSIGs has been increased to log level "info"
   to make it easier to diagnose these problems. Examples of the
   new log messages are given below:
      03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
      pastdate-A.test.dnssec-tools.org A: verify failed due to bad
      signature (keyid=19442): RRSIG has expired
      03-Nov-2011 22:41:31.335 validating @0x12b5d80:
      futuredate-A.test.dnssec-tools.org A: verify failed due to bad
      signature (keyid=19442): RRSIG validity period has not begun
   [RT #21796]

-  This change can reduce the time when a server is unavailable
   during "rndc reconfig" for servers with large and complex
   configurations. This is achieved by completing the parsing of
   the configuration files in entirety before entering the exclusive
   phase. (Note that it does not reduce the total time spent in
   "rndc reconfig", and it has no measurable impact on server initial
   start-up times.) [RT #21373]

-  Direct queries for type RRSIG or SIG (sometimes used while
   testing) could be handled incorrectly in the case where there
   is no answer available. [RT #21050]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist us
   in continuing to make quality open source software, please visit
   our donations page at http://www.isc.org/supportisc.

(c) 2001-2011 Internet Systems Consortium
_______________________________________________
bind-announce mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-announce

Reply via email to