Important: A significant flaw is present in June BIND releases 9.16.17 and 9.17.14
Dear BIND users: Yesterday, 16 June 2021, we released monthly maintenance snapshot releases of our currently supported release branches of BIND. Specifically, we released BIND 9.11.33, 9.16.17, and 9.17.14 There's no way to say this that isn't embarrassing, but only after the release was an error in a recently optimized routine discovered by a user -- an error that will definitely cause operational problems for almost all server operators who upgrade to either of these affected versions: - BIND 9.16.17 - BIND 9.17.14 BIND 9.11.33 is NOT affected. If you have not yet updated to the 16 June releases, we ask that you hold off on any plans to install 9.16.17 or 9.17.14 until replacement releases can be prepared and tested. The specific issue in question is being tracked in our issue tracker: https://gitlab.isc.org/isc-projects/bind9/-/issues/2779 and more information about our plans for issuing replacement releases will be provided later; at the moment our priority is getting the news to parties as quickly as possible so that those who have not already adopted the new releases can postpone until corrected versions are available. Michael McNally Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13
The May 2021 maintenance releases of BIND are available and can be downloaded from the ISC software download page, https://www.isc.org/download A summary of changes in the new releases can be found in their release notes: current supported stable branches: 9.11.32 - https://downloads.isc.org/isc/bind9/9.11.32/RELEASE-NOTES-bind-9.11.32.html 9.16.16 - https://downloads.isc.org/isc/bind9/9.16.16/RELEASE-NOTES-bind-9.16.16.html experimental development branch: 9.17.13 - https://downloads.isc.org/isc/bind9/9.17.13/RELEASE-NOTES-bind-9.17.13.html Please note: The 9.17 experimental development branch is produced on a best-effort basis. In this particular set of releases, an issue in our build tools prevented the creation of the usual installer package for Windows users. Rather than delay the release, we went ahead, with the consequence that there are no Windows zips provided for the 9.17 branch this month. Zip files with Windows packages were provided as usual for the 9.11 and 9.16 branches. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Experimenting with a new practice for pre-announcing vulnerability disclosures
Hey BIND-users, I hope that most of you are already subscribed to the bind-announce list. But for those who are not, bind-announce is another public list operated by Internet Systems Consortium. It is a low-traffic list which ISC staff use to make announcements concerning the BIND project -- most frequently about the release of new versions of BIND or occasionally when we disclose a serious security vulnerability. You can subscribe by going to: https://lists.isc.org The reason I bring it up is that ISC is experimenting with a new practice to extend our Security Vulnerability Disclosure Process. After observing this practice being used successfully by other open-source projects, we have modified our disclosure policy to allow us to (optionally) make a limited pre-announcement giving a "heads up" a few days before a public disclosure occurs. Such pre-announcements, should they occur, will be posted to the bind-announce list and you can see the first example of one in the list archives even if you are not a subscriber: https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.16 vs. 9.14 tcp client connections
On 3/5/20 4:34 AM, Ondřej Surý wrote: >> On 5 Mar 2020, at 10:11, Arsen STASIC wrote: >> >> Hi, >> >> Bind 9.16 was installed on 3/2 15:45 and tcp connections ramped up to >> maximum: >> rndc status | grep -i tcp >> tcp clients: 102/150 >> TCP high-water: 150 >> >> Switching back to bind 9.14 on 3/4 15:45 shows "normal" tcp client behavior: >> rndc status | grep -i tcp >> tcp clients: 29/150 >> TCP high-water: 67 >> >> I have found some tcp related changes in the later versions of 9.15 <https://ftp.isc.org/isc/bind/9.16.0/CHANGES>,>> but nothing which is explaining this kind of behaviour. >> >> Has someone else experienced this too? > > Hi Arsen, > > we think you are hitting a problem that was reported to us earlier. Since it > has been now circulated on the bind-users, we made the merge request public: > > https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3163 > ... > > ISC will be issuing a proper Operational Notification later this week > and the fix will be included in BIND 9.16.1 due in March. > > Sorry for the inconvenience. Hello -- Subscribers who are also subscribed to the bind-announce list will now have received our Operational Notification concerning this issue. If you're not a subscriber to that list.. why not? (it's low traffic and only carries important announcements, generally about releases and security issues). But in any case you can view the Operational Notification via the list archives: https://lists.isc.org/pipermail/bind-announce/2020-March/001150.html or via our knowledge base: https://kb.isc.org/docs/operational-notification-an-error-in-handling-tcp-client-quota-limits-can-exhaust-tcp-connections-in-bind-9160 The short version, though, is that we introduced a problem with TCP client quota enforcement during the later releases of the 9.15 development branch which was not noticed until 9.16.0. A fix is available and a patch diff can be found linked from either version of the Operational Notification links above. Apologies, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internet Systems Consortium has a position open (Support Engineer III)
Hello, bind-users list members, I hope you'll excuse me for posting something a little bit out of the ordinary for this list, but there are perhaps some in this community who will be interested to know that we are looking for a candidate to fill the position of Support Engineer III at Internet Systems Consortium. It was via this list (a number of years ago) that I myself learned of a similar opening and thereby gained the opportunity to join a crew of intelligent, friendly, and talented colleagues working together to further the mission of an organization whose vision is to develop free open-source software in order to promote a free and open internet. If you'd like to know more about ISC you can read about our mission here: https://www.isc.org/about/ and if you are interested in learning more about the open position you can find details here: https://jobs.isc.org/o/support-engineer-iii The successful candidate will have excellent communication skills, strong technical knowledge and troubleshooting skills, and domain- specific experience in DNS and DHCP. Full details and links to submit an application can be found on the job description page. Thank you for your time and (for those who are not interested) please accept my apologies for the digression from the usual list content. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Test mail to bind-users
We have had reports that posts to bind-users are (in at least some cases) triggering unwelcome direct-to-the-submitter messages from spammers. Please disregard this message while I try to gather some information in the hopes of stopping this unwelcome behavior. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.
CVE: CVE-2018-5737 Document Version:2.0 Posting date:18 May 2018 Program Impacted:BIND Versions affected: 9.12.0, 9.12.1 Severity:Medium Exploitable: Remotely Description: A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation -- either degradation or denial of service. Impact: Servers running a vulnerable version of BIND (9.12.0, 9.12.1) which permit recursion to clients and which have the max-stale-ttl parameter set to a non-zero value are at risk. CVSS Score: 5.9 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Workarounds: Setting "max-stale-ttl 0;" in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.) Setting "stale-answer enable off;" is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero. Active exploits: No known active exploits. Solution: The error which can be exploited in this vulnerability is present in only two public release versions of BIND, 9.12.0 and 9.12.1. If you are running an affected version then upgrade to BIND 9.12.1-P2 Acknowledgements: ISC would like to thank Tony Finch of the University of Cambridge for his assistance in discovering and analyzing this vulnerability. Document Revision History: 1.0 Advance Notification, 09 May 2018 1.1 BIND 9.12.1-P1 was recalled before public announcement due to defect, the advisory language was re-written to be clearer about the exploit risk, and the public disclosure date was adjusted because of the problem with 9.12.1-P1, 17 May 2018 2.0 Public Disclosure, 18 May 2018 Related Documents: See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected. If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit http://www.isc.org/support/. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org. To report a new issue, please encrypt your message using security-offi...@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861 This Knowledge Base article https://kb.isc.org/article/AA-01606 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2018 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.12.1-P2 is now available
A new version of BIND is available to address two vulnerabilities disclosed today: CVE-2018-5736 and CVE-2018-5737; see the respective messages on this mailing list or consult the ISC Knowledge Base https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/. Only two releases in the BIND 9.12 branch were affected by these vulnerabilities and BIND 9.12.1-P2 corrects both issues. The new release can be found via our software download page: https://www.isc.org/downloads Finally, a word of apology for the awkward timing of this diclosure. At ISC we usually try to avoid the very beginning or end of the week for our vulnerability disclosures because time zone factors can make those times particularly awkward for operators in other parts of the world. In this particular instance we had originally scheduled our disclosure for Wednesday (16 May) but were forced to delay the release when a last-minute flaw was found in BIND 9.12.1-P1, leading to its withdrawal and replacement with BIND 9.12.1-P2. Unfortunately the vulnerabilities were partly disclosed at that stage and we decided that the safest course was to proceed as directly as possible to public disclosure, rather than risk a leak. We do regret the inconvenience that will be incurred by server operators due to the timing of this announcement. Michael McNally ISC Security Officer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c
CVE: CVE-2018-5736 Document Version:2.0 Posting date:18 May 2018 Program Impacted:BIND Versions affected: 9.12.0 and 9.12.1 Severity:Medium Exploitable: Remotely, if an attacker can trigger a zone transfer Description: An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Impact: Authoritative servers that serve slave zones are vulnerable to potential denial of service if all of the following are true: + they are running an affected version of BIND (BIND 9.12.0 or 9.12.1) + at least one of the zones for which they are providing service is of type "slave" + they permit NOTIFY messages from any source. CVSS Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Workarounds: For servers which must receive notifies to keep slave zone contents current, no complete workarounds are known although restricting BIND to only accept NOTIFY messages from authorized sources can greatly mitigate the risk of attack. Active exploits: No known active exploits. Solution: The reference counting error which can be exploited in this vulnerability is present in only two public release versions of BIND, 9.12.0 and 9.12.1. If you are running an affected version then upgrade to BIND 9.12.1-P1 Acknowledgements: ISC would like to thank SWITCH for informing us of this vulnerability. Document Revision History: 1.0 Advance Notification 09 May 2018 2.0 Public Disclosure 18 May 2018 Related Documents: See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org. To report a new issue, please encrypt your message using security-offi...@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861 This Knowledge Base article https://kb.isc.org/article/AA-01602 is the complete and official security advisory document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2018 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
FYI: zones created using "rndc addzone" could temporarily fail to inherit option "allow-transfer"
We recently received a bug report that newly-added zones (via rndc addzone) were not inheriting the global allow-transfer directive and could be transferred using AXFR by anyone able to access the server to which they had just been added. Further investigation revealed that the circumstances when this might occur are very specific, transient, and unlikely to affect most production environments. However since we're now aware of this defect we decided that it would be in the best interests of our users to share this knowledge so that administrators can judge whether or not they need to be concerned. We assessed the effects of the defect and concluded that it does not meet our policy criteria for handling as a security defect: https://kb.isc.org/article/AA-00861/ It will be fixed in upcoming releases of BIND: 9.12.0, 9.11.3, 9.10.7, 9.9.11 4836.[bug]Zones created using "rndc addzone" could temporarily fail to inherit an "allow-transfer" ACL that had been configured in the options statement. [RT #46603] BIND administrators need only take notice if they are dynamically adding zones to views (including the default view) that are completely empty of zones (no zones via named.conf, and no dynamic zones added earlier) when named is started. The effect of this bug is that when a zone is being added dynamically, named fails to check for and initialize the view option 'allow-transfer' if this had not already been done previously. This would be unusual in most production implementations because view initialization takes place either when named starts up and loads its already-configured zones, or when named processes 'rndc reload' or 'rndc reconfig' control commands for non-empty views. Additionally, if the dynamic zones are added with their own zone-specific 'allow transfer' option, then this option will be properly applied for that zone (but this does not mitigate the bug for any other zones added without a zone-specific ACL). In summary, this defect will only affect you if you: - Start named with no zones at all in some/all views - After named has started, add zones to empty views using 'rndc addzone' - Rely on dynamic zones inheriting the global or view-specific 'allow-transfer' directive rather than specifying it for each zone - Don't afterwards issue 'rndc reconfig' or 'rndc reload', or restart named One further consideration is whether or not it matters that the zones are temporarily available for zone transfer. ISC would like to thank Andrew Parnell at easyDNS and Dave Knight at Snake Hill Labs for bringing this bug to our attention. Sincerely, ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CVE-2017-3142 and CVE-2017-3143 -- TSIG-related BIND vulnerabilities
Today ISC announced two significant BIND vulnerabilities (via our bind-announce list -- https://lists.isc.org/mailman/listinfo/bind-announce) They are CVE-2017-3142 and CVE-2017-3143 and both are related to errors in our TSIG support. These are unusual CVEs for BIND -- many of the vulnerabilities we disclose are denial-of-service vectors which affect server availability but can easily be partly or completely mitigated by running BIND with a watchdog process. Atypically, these new vulnerabilities have, respectively, a confidentiality impact (for CVE-2017-3142, which potentially permits unauthorized zone transfer) and a data integrity impact (CVE-2017-3143, which under some circumstances can permit an attacker to cause the server to accept a forged DDNS update.) New versions of BIND have been released and are available from ISC's web site: http://www.isc.org/downloads Details on the vulnerabilities are available via the ISC Knowledge Base: https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/ Please take these bugs seriously and act promptly to safeguard your servers if you rely on TSIG authentication for zone transfers or DDNS. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"Jumbo" Security Release of BIND corrects four exploitable vulnerabilities.
ISC has issued new security releases of BIND today, correcting three exploitable vulnerabilities discovered in the course of our internal fuzz-testing and an additional exploitable vulnerability reported to us by a contributor. The issues are: CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2016-9778 and details about each can be found in the BIND Security Advisories section of the ISC Knowledge Base: https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/ New security releases have been issued which correct the vulnerabilities. These are available via the http://www.isc.org/downloads web page: BIND 9.9.9-P5 BIND 9.10.4-P5 BIND 9.11.0-P2 We encourage all parties using or distributing BIND to upgrade to these versions as soon as possible so that they may be protected from the vulnerabilities now that they have been publicly disclosed. Michael McNally ISC Security Officer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.0b1 is now available
BIND 9.11.0b1, the first beta release of the BIND 9.11 branch, is now available for download from the ISC website (at http://www.isc.org/downloads) BIND 9.11 brings many changes to BIND, including a new license (the Mozilla Public License 2.0 -- you can read about it here: https://www.isc.org/blogs/bind9-adopts-the-mpl-2-0-license-with-bind-9-11-0/) and many new features, including: - Catalog zones, a new way to provision zones on slave servers - dyndb api, a fast new api enabling BIND to serve zones stored in a database (Developed by Petr Spacek of RedHat) - RNDC showzone, view-only mode and other improvements - dnstap query and response logging (Robert Edmonds is the author of dnstap, see www.dnstap.info) - EDNS Client-subnet (authoritative server functions) - DNSSEC key manager, a new utility (Thanks to Sebastián Castro for helping with development.) - Automatic CDS/CDSKEY generation - Negative Trust Anchors for DNSSEC validators - IPv6 bias to encourage use of IPv6 DNS servers - Minimal response to “any” queries (Thanks to Tony Finch for the contribution) - DNS Cookies are now enabled by default, using the standardized code point Contributions and testing from our users during the beta period are an important part of BIND's development cycle so please, if you are interested in helping us improve BIND, give the beta version a try and send us your feedback so that we can ensure that 9.11 is the best BIND ever. Should you find an issue you wish to report, information on how to submit a bug report can be found at https://www.isc.org/community/report-bug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.0a3 introduces catalog zones
BIND 9.11.0a3, the third alpha development pre-release of BIND 9.11, is now available for download from ISC's website: http://www.isc.org/downloads This release includes the debut of an experimental new 9.11 feature, catalog zones. Catalog zones are designed to allow easier dynamic configuration of zones on secondary servers than previous methods, as described in this snippet from the release announcement: A special zone of a new type, a catalog zone (CZ), is set up on the master and secondary servers in the normal way. Once a catalog zone is configured, when an operator wishes to add a new zone to the nameserver constellation s/he can provision the zone on the master server and add an entry describing the zone to the catalog zone. As the secondary servers receive the updated copy of the catalog zone data they will note the new entry and automatically create a zone for it, pull the zone data from the master server in the normal way, and begin serving the zone. Deletion of a zone listed in a CZ is done by deleting the entry in the catalog zone data. The update of the CZ data on the secondary servers will cause them to stop serving the zone in question and to delete it from the secondaries, after which the operator can manually remove the zone from the master server. We'd like your feedback on catalog zones and the other new features in the development release. Please see the release notes at: ftp://ftp.isc.org/isc/bind9/9.11.0a3/RELEASE-NOTES-bind-9.11.0a3.html and give the new release a try if you have a chance. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND Releases 9.9.9-P1 and 9.10.4-P1 (was: "Re: BIND 9.10.4 may have a fatal crash defect.")
On 5/17/16 11:08 PM, Michael McNally wrote: > Though this flaw can occur with any compiler, it's substantially more > likely to lead to a crash when BIND is compiled on the x86_64 platform > using the 'clang' compiler and a difference in the node structure between > BIND 9.9 and 9.10 makes the failure more likely to occur in BIND 9.10. > However, operators who are running one of the affected versions (BIND 9.9.9, > BIND 9.10.4, or BIND 9.9.9-S1) should replace those versions as soon as > updated releases are available. > > Having identified what we believe to be the root cause, we are currently, > with the help of some volunteers who were previously experiencing crashes > in their operational environments, testing a candidate fix with (so far) > good results. If no further failures occur, we expect to issue patch > releases for all of the April 28 releases (BIND 9.9.9, BIND 9.10.4, and > BIND 9.9.9-S1) New versions of BIND which contain a fix to prevent the red/black tree (RBT) race condition which was causing INSIST assertions in BIND 9.10.4 (and could potentially also have occurred in 9.9.9 and 9.9.9-S1) have been released. The public releases are available through the ISC website, https://www.isc.org/downloads In addition to the fix to prevent the RBT assertions, the new releases also contain changes to the Windows builds, correcting a problem which made installation difficult on some Windows versions due to an interaction with User Account Control (UAC) and and fixing a bug that could cause an assertion after an "rndc stats" command (on Windows only.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.4 may have a fatal crash defect.
To our users: Last week, reacting to reports from several users concerning assertion failures in BIND 9.10.4, we took the unusual step of deprecating that release while we investigated the problem: internal checks detecting a state in the cache data structure that should have been impossible. Thanks to several users who shared their crash data with us, our developers have identified a problem. In the April 28 maintenance releases, the internal representation and packing of the 'node' structure used in the BIND cache was changed to reduce memory usage and increase performance. The packing change caused some single-bit flag values that were protected by one lock to share the same word in physical memory with flag values protected by a different lock. This creates the potential for a race condition: two threads can modify the same flag value simultaneously, leading to the inconsistent state that triggers the assertion failures. Though this flaw can occur with any compiler, it's substantially more likely to lead to a crash when BIND is compiled on the x86_64 platform using the 'clang' compiler and a difference in the node structure between BIND 9.9 and 9.10 makes the failure more likely to occur in BIND 9.10. However, operators who are running one of the affected versions (BIND 9.9.9, BIND 9.10.4, or BIND 9.9.9-S1) should replace those versions as soon as updated releases are available. Having identified what we believe to be the root cause, we are currently, with the help of some volunteers who were previously experiencing crashes in their operational environments, testing a candidate fix with (so far) good results. If no further failures occur, we expect to issue patch releases for all of the April 28 releases (BIND 9.9.9, BIND 9.10.4, and BIND 9.9.9-S1) If you're wondering how this affects you, we hope this summary may help: + Nothing we have seen so far suggests that this issue is a deliberately exploitable security vulnerability. + Completely authoritative servers are at extremely low risk (approaching zero) from this defect. Only recursive servers are at significant risk. If you are operating an authoritative server which does not perform recursion for clients, you can probably safely wait for replacement versions to be released and upgrade when convenient. + We have only received reports of INSIST exceptions in BIND 9.10.4. + The change which exposed the race condition exists in BIND 9.9.9 and BIND 9.9.9-S1 as well, but we have received no reports of INSIST errors occurring in those versions. They are possible but have a much lower probability of occurrence. + If you are running a recursive resolver on an affected version of BIND, you are at moderate risk unless you are running BIND 9.10.4 and your named binaries have been compiled with clang, in which case you are at higher risk. You have several options, including: - revert to BIND 9.9.8-P4, 9.10.3-P4, or 9.9.8-S6 until the replacement versions are officially released - retrieve and compile the current 9_9 or 9_10 branch from the ISC public git repository, which will contain the candidate fix which we expect to release next week or contact ISC Support for assistance with a patch if you are a customer with a support contract. - use a watchdog process to manage 'named' and restart it if it exits; upgrade when replacement versions are released. We'd like to once again thank the users who helped us to track this down and apologize for the inconvenience it has caused to our users. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.10.4 may have a fatal crash defect.
To our users: Recently, on Thursday 28 April, ISC released two maintenance releases of BIND 9: - BIND 9.9.9 - BIND 9.10.4 Beginning after the release of BIND 9.10.4 we started receiving a small number of reports from recursive server operators who have encountered an INSIST assertion in code which checks the consistency of the Red-Black Tree structure in which BIND stores cache information. Based on these reports, we are concerned about the possibility (which we are currently investigating) that this may represent a crash bug introduced into the most recent versions of BIND and we are advising that parties who are planning to update but have not yet updated to BIND 9.10.4 postpone their plans until after the issue is found and fixed. At the current time we have no reports of crashes in BIND 9.9.9 which suggests, but does not prove, that the issue may be confined to the BIND 9.10 and development master (9.11) branches. We also only have crash reports from two operating systems: MacOS X and FreeBSD. We cannot yet conclude whether the problem is limited to these OSes (and until we know more, recommend against assuming so.) As yet we are unable to say how the cache data structure is reaching an inconsistent state and while we are working with several parties who have encountered this bug and who are sharing crash data with us we have not yet developed a reproduction or identified a root cause. Updated information will be shared via this public list when we know more. BIND 9.10.4 is still available but is marked as "deprecated" on the http://www.isc.org/downloads page. If you are in search of the current stable release in the 9.10 branch we recommend BIND 9.10.3-P4 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.11.0a1 is now available
The first official alpha development release of the new BIND 9.11 branch has been published and announced via our bind-announce list -- if you're not subscribed to that list you can see the announcement in the list's public archive here: https://lists.isc.org/pipermail/bind-announce/2016-March/000981.html Or you can go straight to our download page and grab it: http://www.isc.org/downloads BIND 9.11 has quite a few interesting new features and we'd really like your feedback to help us make the final release the best it can be. We've put a lot of work into 9.11 and we're excited to be delivering it. Please check it out and let us know what you think. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Responds to Customer Questions About CVE-2015-7547 (glibc buffer overflow vulnerability.)
Please excuse the typo'ed CVE number in the command line -- the glibc vulnerability is CVE-2015-7547. The link below is correct. On 2/19/16 5:03 PM, Michael McNally wrote: > This week a major vulnerability in glibc was announced. In response to > questions from our customers and users, ISC has provided a response for > operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP, > and Kea server operators. > > > https://www.isc.org/blogs/a-few-words-about-the-glibc-vulnerability-cve-2015-7547/ > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)
This week a major vulnerability in glibc was announced. In response to questions from our customers and users, ISC has provided a response for operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP, and Kea server operators. https://www.isc.org/blogs/a-few-words-about-the-glibc-vulnerability-cve-2015-7547/ -- Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
On 28 July 2015, ISC publicly disclosed CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure.) We would like to inform all readers of this list that the official copy of this CVE (https://kb.isc.org/article/AA-01272) has been revised to reflect new information received. Specifically, after learning that a party with no connection to ISC had published proof-of-concept code alleged to exercise the denial-of-service vector disclosed in the CVE, we have updated the Active exploits section of the advisory, changing from: Active exploits: None known. to: Active exploits: We have been informed that proof-of-concept code for an exploit has been published by a third party to a public source repository. As this development significantly increases the potential risk that this vulnerability will be exploited by those with a mind to do so, please take steps to patch or upgrade to a secure version as soon as possible. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)
As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure (https://kb.isc.org/article/AA-01272) about this critical defect in BIND. Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code. The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch immediately. This bug is designated Critical and it deserves that designation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC has issued a new code signing key. Previous key expires 31 January
Happy New Year to the BIND community, Beginning with the start of 2015, ISC is introducing a new PGP signing key which will be used to verify the authenticity of BIND and DHCP source downloaded from ISC. This replaces the current key, which is expiring. The old key for codes...@isc.org, with key ID 45AC7857189CDBC5, was created in 2013 with an expiration date of 31 January, 2015, a date that is fast approaching. It is being replaced by a new key with key ID 6FA6EBC9911A4C02, and an expiration date of 31 January, 2017. Until the expiration of the 2013 key, ISC will sign code releases with both keys. This includes the development releases released today (BIND 9.9.7b1 and BIND 9.10.2b1.) You may therefore encounter a message from PGP or GPG when verifying your download if you do not have both keys in your keyring. You can disregard such messages as long as PGP or GPG confirms a valid signature with at least one of the keys. Both keys are available from the ISC website: https://www.isc.org/downloads/software-support-policy/openpgp-key/ And if you need instructions on how to verify a download using PGP or GPG, a brief summary can be found in the ISC Knowledge Base: https://kb.isc.org/article/AA-01225 Given the recent security incident with the ISC web site, some will naturally ask whether the retirement of the old key was prompted by security concerns. The answer to that is no, we have no suspicion that the old key was compromised in any way; the key change is motivated solely by the January 31, 2015 expiration date that was set when the key was generated years ago. We are choosing this time to issue the replacement to allow an interim period during which people have time to retrieve the new key. Some parties may also have reservations about trusting a key downloaded from a site that was recently compromised. If you you prefer you can download the key from the public keyserver https://pgp.mit.edu Please take note that after 31 January, 2015 new releases will no longer be signed using the expiring key (key id 45AC7857189CDBC5) and so if you use PGP or GPG to check the integrity of your downloads you should import the new key before that occurs. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.
Last week ISC received a report from security firm Cyphort Labs informing us that our website, www.isc.org, was delivering malware content to visitors. Here is a summary of what we know and what we believe to be true about this incident. What we know to a high degree of confidence: + Security on www.isc.org was compromised and the site was serving malware known as the Angler Exploit to visitors. Angler Exploit primarily targets Flash, Silverlight, and Microsoft Internet Explorer. Diagnosis and removal instructions for Angler Exploit malware are available on the web and existing resources do a better job of explaining than we could within the scope of this message. Please consult with them or with your chosen security vendor to find out what steps you need to take. + Only the main ISC website was compromised. There is no evidence that other ISC information services or critical ISC infrastructure (such as the F-root nameservers) were affected at all. While the main ISC web site has been replaced with a static page until it can be secured, other ISC information resources such as our Knowledge Base (kb.isc.org), FTP service (ftp.isc.org), and GIT repository (source.isc.org) were not compromised and continue to operate normally. + Although many visitors discover the links by visiting www.isc.org, ISC software products such as DHCP and BIND are actually delivered via the ISC ftp server (ftp.isc.org) which was not affected. For additional security, all official ISC software releases are cryptographically signed using the ISC code signing key (codes...@isc.org) and their integrity can be verified using PGP or GPG in conjunction with the codes...@isc.org public key. What we strongly suspect: + The intrusion is believed to have been accomplished by exploiting a vulnerability in one of the plug-ins used by our Wordpress content management system. + We have no reason to believe that ISC was specifically targeted; we believe we were simply a convenient target because we used a vulnerable Wordpress component. According to security researchers at Sucuri.net, on the order of 100,000 Wordpress sites may have been compromised by this or similar attacks. What are we doing to prevent this from happening again? + ISC took down the affected site and replaced it with a static page which will remain until we are confident that the site has been secured. + In the immediate short term, a new site is being built on a freshly-installed VM with more stringent security restrictions on Wordpress. All of the content on the site is being scrutinized by an engineer to make sure that the restored site does not contain any content introduced during the intrusion. Going forward, ISC will re-assess whether Wordpress is an appropriate choice for the foundation of our public website. + New policies will be adopted to track staff edits which, in conjunction with software tools which track changes in site content, will allow site admins to quickly identify any unexpected changes to the site in the future and respond accordingly. ISC is deeply sorry for any inconvenience or risk caused to people who visited the www.isc.org site and we pledge to do our best to ensure that this situation does not reoccur. Michael McNally (writing for ISC Security Officer) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logs problem with Bind 9.9.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/2/14 9:55 AM, Reindl Harald wrote: jesus christ learn to use mailing-lists, stop to reply in private and strip your qutes Constructive comments are welcome on bind-users. Criticism that does not further the discussion does not belong on the lists and doesn't help anybody. Please try to be positive, community-minded, and aware of the fact that not everybody has the same experience or habits when communicating via public mailing lists. Please back off, take a deep breath, and remember that we are here to discuss BIND. Michael McNally ISC Support List Moderator -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJT5RQGAAoJEDsbHdIEoEIyw/EIAKEGMka3cqVJjHFsA1ZqBqas lYf00xgkbNof6vtuHK/PONb5vAIYHrbJLO9vZQ3ziVT4hLGkKjbrKYxsVOsrQMQD u0oapajME6Khn7AlPdn4+PT+bcXz714URo7TgNzPrkddDbt4Z/UhaSBhO4C9GPw0 9roVXMhApoW7cGmKMCthT5ciMyDUuBw7zjI7cA3U5B+i0n1Wfb3hWoWlWHKYvSqM Sou8qgLUMfgFDdjnenRQBMllvBE3fQkRU4mnnJaXfHyI7tWovv1x9pGGFPCc0WGY UYGOUHtZl6evwKciJMSz1TaWJiktPBWP2+LD8fppS5G7ALRJ5pgZ/2up/0WZP08= =IruA -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A Note About Today's New BIND Releases
Today ISC publicly releases three new versions of BIND: BIND 9.10.0-P2 BIND 9.9.5-P1 BIND 9.8.7-P1 Version 9.10.0-P2 is a security release of BIND and addresses a critical vulnerability, CVE-2014-3859, that can be used as a denial of service vector against all authoritative and recursive nameservers running BIND 9.10.0 or BIND 9.10.0-P1. If you are running a version from the BIND 9.10 branch, you should upgrade to 9.10.0-P2 as soon as possible. The other two release versions, BIND 9.9.5-P1 and BIND 9.8.7-P1 are being released simultaneously but are being labeled as operational releases; the critical security vulnerability disclosed in CVE-2014-3859 does not apply to the BIND 9.8 or 9.9 branches but they do correct an issue caused by changes to the Gnu Compiler Collection (GCC) which was previously disclosed in this ISC Operational Notification https://kb.isc.org/article/AA-01167 These new versions of BIND remove the need for those who are building BIND with GCC 4.9.0 or greater to use the manual workaround described in that notification. All three versions contain minor other fixes as well; please consult the release notes for full details and look for the notes marked with ** (which denote changes since the last release.) BIND 9.10.0-P2 notes: https://kb.isc.org/article/AA-01171 BIND 9.9.5-P1 notes: https://kb.isc.org/article/AA-01170 BIND 9.8.7-P1 notes: https://kb.isc.org/article/AA-01169 In summary: BIND 9.10.0-P2: - fixes security issue CVE-2014-3859 - fixes issue from ISC Operational Notification of 4 June 2014 - includes other minor fixes BIND 9.9.5-P1: - security issue CVE-2014-3859 is not applicable - fixes issue from ISC Operational Notification of 4 June 2014 BIND 9.8.7-P1: - security issue CVE-2014-3859 is not applicable - fixes issue from ISC Operational Notification of 4 June 2014 - includes other minor fixes As always, these versions of BIND can be downloaded from the ISC downloads page: http://www.isc.org/downloads or directly from the ISC ftp server ftp://ftp.isc.org/isc/bind9 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A Note About Today's New BIND Releases
On 6/11/14 2:04 PM, Michael McNally wrote: In summary: BIND 9.10.0-P2: - fixes security issue CVE-2014-3859 - fixes issue from ISC Operational Notification of 4 June 2014 - includes other minor fixes BIND 9.9.5-P1: - security issue CVE-2014-3859 is not applicable - fixes issue from ISC Operational Notification of 4 June 2014 Apologies -- I lost a line when editing. BIND 9.9.5-P1 *also* includes minor fixes; you can get the details from the full release notes: https://kb.isc.org/article/AA-01170 Look for the notes marked with ** to find changes since the previous base version. BIND 9.8.7-P1: - security issue CVE-2014-3859 is not applicable - fixes issue from ISC Operational Notification of 4 June 2014 - includes other minor fixes ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
An Operational Notification Has Been Posted to bind-announce
This is just a mention, for the benefit of those who are subscribed to bind-users but not bind-announce, that an Operational Notification has been posted to the latter list concerning issues some operators have reported after building BIND with GCC 4.9.0. The Operational Notification can also be found in our ISC Knowledge Base: https://kb.isc.org/article/AA-01167 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC Responds to Questions About SRTT Algorithm Vulnerability
This week several of our customers have contacted us to inquire about our reaction to an article entitled Critical Vulnerability in BIND Software Puts DNS Protocol Security at Risk [1] ISC would like to clarify that we evaluated the risk from this issue in 2013 when it was disclosed to us, and do not judge it to be a critical vulnerability or feel that it puts DNS protocol security at risk. The article linked above is light on details but you can read the original presentation from Woot '13 [2] if you would like more background information on the SRTT algorithm flaw that allows an attacker to influence selection of a specific nameserver from the servers available in the NS record RRSET. The authors of that paper responsibly reported the issue to ISC prior to their conference presentation and we evaluated it for its security threat potential at that time. We reached the conclusion that the technique described did not by itself constitute an exploitable defect in BIND security but did have potential for use as an enhancement for other attacks. In order to explain the matter and make operators aware of it, we issued an Operational Notification for BIND admins [3] and announced it on public mailing lists in August 2013. Renewed interest in this matter has prompted us to re-examine the issue to see whether any new information has changed our opinion of the issue's severity. At this time we still believe that the manipulation of server selection through exploitation of a flaw in the SRTT algorithm represents at best a supplement to other attack vectors. Nevertheless, ISC intends to correct the flaw in a future release of BIND but has not committed to a timetable for doing so. If you are aware of an active exploit which uses this technique, or if you believe you are aware of an implication we may not have considered, we encourage you to share your concerns with our ISC Security Officers by e-mailing security-offi...@isc.org. Please encrypt any communications containing sensitive security information using the Security Officer PGP key. [4] Thank you for the opportunity to clarify this matter, Michael McNally, ISC Support [1] Critical Vulnerability in BIND Software Puts DNS Protocol Security at Risk http://thehackernews.com/2014/05/critical-vulnerability-in-bind-software.html [2] Subverting BIND's SRTT Algorithm Derandomizing NS Selection https://www.usenix.org/conference/woot13/workshop-program/presentation/hay [3] A Vulnerability in the SRTT Algorithm affects BIND 9 Authoritative Server Selection https://kb.isc.org/article/AA-01030 [4] ISC Public PGP Keys http://www.isc.org/downloads/software-support-policy/openpgp-key/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND, DHCP, and CVE-2014-0160 (the OpenSSL Heartbleed bug)
Earlier this week, the OpenSSL project (http://openssl.org) announced CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL 1.0.1f and 1.0.2-beta1) In many stories, this vulnerability is being referred to as the Heartbleed bug. Because ISC products can be built to link against OpenSSL libraries, users of BIND 9 and ISC DHCP have asked us to clarify whether or not their systems are at risk due to CVE-2014-0160. Rather than answer questions individually, we hope that this will clarify the matter for our users and reassure them that their services are safe from this security vulnerability. 1) Is BIND vulnerable? After consulting with our developers, we are pleased to report that BIND 9 does not make use of the vulnerable parts of the OpenSSL libraries, so BIND services are NOT at risk from CVE-2014-0160. 2) Is ISC DHCP vulnerable? ISC DHCP does not use the affected parts of the OpenSSL library, either. ISC DHCP services are not at risk from CVE-2014-0160. 3) What about Windows binary packages? For the benefit of Windows users, ISC provides installable binary distributions of BIND 9 for those who wish to run it on Windows servers. At the time of this message, the most recent Windows binary distributions include vulnerable versions of the OpenSSL shared libraries. These shared library files are safe for use with BIND 9 because BIND does not use the flawed parts of the library, but operators should not use the provided libraries with other applications. Future versions of the Windows binary distributions will include updated OpenSSL libraries with the security issues fixed, but we have no current plans to release emergency security releases for Windows because the libraries provided are safe for BIND 9. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.10.0b1 has been released.
BIND 9.10.0b1 has been released and is now available from: http://www.isc.org/downloads At ISC we are quite excited about the long list of new features and feature improvements in this major release and we hope that you'll share our enthusiasm. We'd particularly like to hear from DNS operators who have a chance to try the new software while it is in beta and provide feedback on the new features and utilities that have been added. If you have an interest in helping us to improve BIND, please consider joining the bind-beta-response list and sharing your experience with the development release. https://lists.isc.org/mailman/listinfo/bind-beta-response ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND versions are available (-W1 versions)
Recent maintenance releases of BIND (BIND 9.9.5, 9.8.7, and 9.6-ESV-R11) were found to contain a defect preventing the included dig, nslookup, and host utilities from exiting properly when run on Microsoft Windows systems. Only Windows systems were affected. To address this regression, which was caused by a fix for another issue which exposed a previously harmless bug in BIND's Windows network code, ISC is issuing replacement versions of the maintenance releases for Windows users. BIND 9.9.5-W1 replaces BIND 9.9.5 BIND 9.8.7-W1 replaces BIND 9.8.7 and even though we publicly stated that there would be no further fixes to BIND 9.6-ESV.. BIND 9.6-ESV-R11-W1 replaces BIND 9.6-ESV-R11. (..but this time we mean it about 9.6-ESV being EOL. Seriously. Upgrade.) All three versions are available from: http://www.isc.org/downloads Our apologies to the Windows users that this regression affected. Unix users do not need to upgrade to the new versions. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Case-Insensitive Response Compression May Cause Problems With Mixed-Case Data and Non-Conforming Clients
Hello, BIND Server Operators, ISC would like to make you aware of a recent change in the behavior of BIND that has been reported by one customer to have caused an operational issue in their environment due to its effect on the case of data returned in response to client queries. The remainder of this posting explains the potential issue, which we believe will not affect most operators, but you should be aware of the potential in case you are one of those affected. This explanation is also provided in our Knowledge Base: https://kb.isc.org/article/AA-01113 -- The most recent maintenance releases of BIND (9.9.5, 9.8.7, and 9.6-ESV-R11) include a fix which we would like to highlight for your attention: 3645. [protocol] Use case sensitive compression when responding to queries. [RT #34737] This change was made to bring BIND into compliance with RFC 1034, which states: By convention, domain names can be stored with arbitrary case, but domain name comparisons for all present domain functions are done in a case-insensitive manner, assuming an ASCII character set, and a high order zero bit. This means that you are free to create a node with label A or a node with label a, but not both as brothers; you could refer to either using a or A. When you receive a domain name or label, you should preserve its case. Change #3645 was present in the precursor development releases for 9.9.5 et al but we received no reports of problems during the alpha and beta test periods. We still believe the change is correct in terms of compliance with the RFC, and BIND has been performing case-preserving compression for zone transfers for years without issue -- this change affects the data returned by regular queries -- however, we wish to inform you that a customer whose DNS data included both upper-case and lower-case representations of identical names experienced operational problems with client appliance devices that did not correctly implement the corresponding part of the paragraph above; that is, that domain name comparisons be done in a case-insensitive manner. Case was not previously being preserved by the server when compression was being used and as a result change #3645 had the effect in this customer's environment of causing a different reply to be returned by BIND 9.9.5 et al. In conjunction with the case-sensitivity of the misbehaving client devices, an operational issue was created by this mismatch. Operators encountering similar issues should be able to correct them by providing the exact case expected by client devices in their zone data (both in the domain names themselves and in references to those names in records of type NS, MX, SRV, CNAME, and other record types which use a domain name as their data.) Currently ISC are assessing whether the impact of this change justifies further measures or whether the change in BIND should stand as written. One key piece of information that would inform our decision is an estimate of the frequency of operational problems that might be caused by this change. So far we have no clear cues how to estimate that frequency based on our single report received. You can aid us by informing us of any issues encountered that you believe are related to this change in case preservation. Please send reports to bind9-b...@isc.org Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New Development Versions of BIND are Available (9.9.5rc1, 9.8.7rc1, and 9.6-ESV-R11rc1)
New development versions of BIND are now available from http://www.isc.org/downloads Versions 9.9.5rc1, 9.8.7rc1, and 9.6-ESV-R11rc1 include changes based on feedback we received from users during the beta period, but we still welcome testing and feedback from our users and encourage anyone interested to put these release candidates to the test. Thank you, Michael McNally Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: New development versions of BIND are available: 9.9.5b1, 9.8.7b1, 9.6-ESV-R11b1
On 12/20/13 6:31 PM, Michael McNally wrote: New development versions of BIND are now available from http://www.isc.org/downloads BIND 9.9.5b1 Release Notes -- https://kb.isc.org/article/AA-01074 BIND 9.8.7b1 Release Notes -- https://kb.isc.org/article/AA-01076 BIND 9.6-ESV-R11b1 Release Notes -- https://kb.isc.org/article/AA-01077 We are well aware that the end of the calendar year is a very busy time for many of our users and that most of you probably had other things on your mind when the development releases above were made available towards the end of December. But now that the new year has started, we'd like to encourage those who have an interest to take a look at the betas and give them a spin, and also to encourage those who are already using them to take time to provide feedback on their experience. Our developers are working hard to improve BIND 9 and we've added features and bug fixes that we think will matter to you. But as always, the best way for us to know what you would like to see in BIND is for you to tell us. Please consider taking some time to give us feedback on our development releases -- community participation is a vital part of our open software development process. Thanks and Happy New Year! Michael McNally, ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New development versions of BIND are available: 9.9.5b1, 9.8.7b1, 9.6-ESV-R11b1
New development versions of BIND are now available from http://www.isc.org/downloads BIND 9.9.5b1 Release Notes -- https://kb.isc.org/article/AA-01074 BIND 9.8.7b1 Release Notes -- https://kb.isc.org/article/AA-01076 BIND 9.6-ESV-R11b1 Release Notes -- https://kb.isc.org/article/AA-01077 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.10.0a1 is now available
BIND 9.10.0a1, the first alpha development release of BIND 9.10, a new branch of BIND 9, is now available for download from http://www.isc.org/downloads For more details, please see the release announcement in the bind-announce list: http://www.isc.org/downloads or read the release notes in the ISC Knowledge Base: https://kb.isc.org/article/AA-01072 User experience with our development releases is an important source of information for our developers. We look forward to feedback -- positive or negative -- from users who have the time to evaluate the development releases and provide their impressions. Thank you in advance for those who take the time to do so -- you are helping us to improve BIND. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New Versions of BIND Are Available
In connection with CVE-2013-6320, which corrects a possible security vulnerability on Windows versions of BIND, new releases are available at http://www.isc.org/downloads - 9.9.4-P1 - 9.8.6-P1 - 9.6-ESV-R10-P1 The official announcement for this vulnerability has been sent to the bind-announce mailing list, or you can find CVE-2013-6320 here: https://kb.isc.org/article/AA-01062 Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)
New versions of BIND are now available from http://www.isc.org/downloads See the messages in bind-announce announcing BIND 9.9.4, 9.8.6, and 9.6-ESV-R10 or read the release notes in the ISC Knowledge Base ( https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/ ) for more info on the features, changes, and bug fixes included in the new releases. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND with RPZ - CPU Affinity
On 8/30/13 2:45 AM, Arie Lendra Putra wrote: 2x Xeon (total seen by OS 24CPU) 16GB RAM Ubuntu Server 12.04 We test limited number RPZ list BIND 9.8.1 (came with Ubuntu 12.04), and put it on the live network, the result is OK, all load is shared among 24 CPU, @10% usage Then in response to BIND Security Advisory (exploit), we upgraded it to 9.8.5-P2, and we increase to RPZ list to a huge list (1,3M blacklist) But now the CPU load is seem to focus only on CPU0 (40%), and remaining CPU (1-23) only around 2% Any idea what may seems to be the problem, Did you build the 9.8.5-P2 binaries yourself from ISC source or do you know what configure options were used? (If you're not sure, you can check by running named -V) You might check to make sure that threads are enabled, or enable them explicitly with ./configure --enable-threads (+whatever other options you built with previously) before re-building the source. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New development versions of BIND are available
New development releases BIND 9.9.4rc1, BIND 9.8.6rc1, and BIND 9.6-ESV-R10rc1 have been publicly released and are now available for download from: http://www.isc.org/downloads/all For release notes please visit the ISC Knowledge Base ( http://kb.isc.org ) or see the official release announcements on the bind-announce list. - Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CVE-2013-3919 [was Re: resolver.c:4858: fatal error]
On 6/4/13 1:06 AM, Stas Pirogov wrote: Hello, since upgrading our binds to 9.9.3 (from 9.9.2-P2) I've got following crash couple of times in last 3 days: 04-Jun-2013 08:33:09.531 general: critical: resolver.c:4858: fatal error: 04-Jun-2013 08:33:09.531 general: critical: RUNTIME_CHECK(tresult == 0) failed 04-Jun-2013 08:33:09.531 general: critical: exiting (due to fatal error in library) We're running various versions CentOS. This happened on both 5.3 and 5.5 Please advise Congratulations, you have discovered a bug in BIND 9.9.3, 9.8.5, and 9.6-ESV-R9. After analyzing it and concluding that the defect was potentially usable as a denial-of-service vector, our software developers have produced an emergency patch release which has been announced on the bind-announce mailing list. New versions of BIND are available to replace 9.9.3, 9.8.5, and 9.6-ESV-R9. Because the bug was introduced in the beta cycle for the most recent set of maintenance releases, the versions listed above are the only release versions of BIND affected. They are replaced by: 9.9.3-P1 9.8.5-P1 9.6-ESV-R9-P1 all of which can be found on the ISC ftp site, ftp://ftp.isc.org/isc/bind9 Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New Versions of BIND Are Now Available, Including the First Version of BIND 9.9-ESV
BIND 9.9.3, BIND 9.8.5, and BIND 9.6-ESV-R9 have been released and are available to be downloaded from the ISC ftp site or from http://www.isc.org/downloads/all Full release announcements have been posted to the bind-announce list (visit https://lists.isc.org/mailman/listinfo to manage your subscriptions to ISC mailing lists or to visit the list archives.) --- BIND 9.9-ESV and a New Naming Convention for ESVs In addition to being the most feature-filled version of BIND to date, BIND 9.9.3 is also the first version in the BIND 9.9-ESV series. With the introduction of 9.9-ESV, ISC is changing our previous naming system for Extended Support Versions of BIND 9. Previously when a series was designated an extended support version of BIND, the naming of individual releases in that series was changed to include the designation string ESV. For example, prior to 9.9-ESV, the previous ESV series was 9.6-ESV. In the BIND 9.6 release series, the versions that became the ESV branch were given names as follows: 9.6.1, 9.6.2, 9.6-ESV, 9.6-ESV-R1, ..., 9.6-ESV-R9 BIND 9.9-ESV is not going to continue this naming convention. Instead, BIND 9.9 series releases will be incremented normally (maintenance releases will increment the minor revision number, security fixes will add a suffix indicating an out-of-cycle patch, e.g. -P1, -P2, etc.) However, despite the omission of ESV from the version number, the BIND 9.9-ESV series will receive the same commitment to extended support lifetime that other ESV versions have received -- you can plan a migration to 9.9-ESV and have confidence that the code line will be supported for several years to come. The other difference in naming convention for 9.9-ESV applies to the identification string reported by the server (for example in response to named -V) Versions of 9.9-ESV will include the string (Extended Support Version) in their identification string, e.g. BIND 9.9.3 (Extended Support Version We hope that this will not cause unnecessary confusion for BIND users but after receiving feedback from customers and package maintainers it appeared that revising the naming convention for ESV releases was our best choice to address the concerns that some had expressed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New BIND Versions are Available: 9.9.3rc2, 9.8.5rc2, and 9.6-ESV-R9rc2
Hello, BIND Users -- The second release candidates for the upcoming maintenance releases of BIND are now available on the ISC FTP server. 9.9.3rc2, 9.8.5rc2, and 9.6-ESV-R9rc2 can now be downloaded; you will find them at http://www.isc.org/downloads/all Also, please recall that in April we posted a change to our announcement policy for new versions. Previously we had announced each new version on each of the ISC public lists for BIND 9, but in order not to duplicate we are now posting only to bind-announce. We will post reminders here for the time being but if you are not subscribed to bind-announce we recommend that you consider it. You can manage your subscriptions for ISC's public mailing lists by visiting https://lists.isc.org/mailman/listinfo Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
On 5/8/13 9:43 AM, Carlos M. martinez wrote: Agreed, but, subject tagging is very useful for those who prefer to have things hit your inbox first, before archiving. And there seems to be a lot more agreement on the tagging issue than on the reply to. Unless your mail setup is extremely restricted in what it can filter on, you have several choices of header which can be used by an automated filter to detect and classify appropriately according to list. Personally I have procmail file bind-users traffic based on the List-Id: header, but I realize you may be in a different environment with different tools available.) List-Id: BIND Users Mailing List bind-users.lists.isc.org Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: architecture question
On 5/8/13 9:33 AM, Jeremy P wrote: However, there are times where registering a real domain just isn't practical. For example, I'm not going to ask all of the students in my courses to go out and register a .com for the semester. It would be a waste of money as their systems never leave the local network, except through a NAT connection. So in those types of instances, I'm assuming .lan or .test are safest? The flip side of this is that whatever you teach them they are going to take out into the wider world with them. If you teach them to use .local or .lan, some of them (at least) are going to continue using .local or .lan long after your class is over, at least until they run into enough problems to frustrate them into something more compatible with current practice. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ANNOUNCEMENT: New BIND versions are available.
Hello, bind-users readers: ISC would like you to know that new versions of BIND are available; release candidates BIND 9.6-ESV-R9rc1, BIND 9.8.5rc1, and BIND 9.9.3rc1 have been released and made available via ISC's web and ftp sites. We'd also like to take a minute of your time to explain a recent change in our announcement procedures when new versions of BIND are made available. Until recently it has been our policy, when a new version is released, to send an announcement to each of the bind-related ISC public mailing lists. For those who are subscribed to multiple lists, this results in considerable duplication of the announcement e-mails. While it's true that disk space is cheap, your time and attention are precious and limited commodities and we would rather not bombard you with news of our releases if it's not necessary. We've thought about it and decided that bind-announce is the suitable forum for these announcements and from now on we would like to send the announcement messages only to bind-announce. This will be a change in status for bind-users and bind-workers subscribers. For the next several releases we will also post to bind-users and bind-workers with a reminder message like this one so that members who are subscribed only to those lists will see that there are new versions, but we urge you to take a moment to subscribe to bind-users if you are not already receiving it. List traffic is minimal and consists almost exclusively of new version announcements and security advisories from ISC. You can subscribe to the bind-announce list by visiting: https://lists.isc.org/mailman/listinfo/bind-announce If you want to survey past list content without subscribing you can go to: https://lists.isc.org/pipermail/bind-announce/ Bind-users and bind-workers will continue to fulfill their functions as valuable community resources and discussion forums but beginning with this set of releases they will no longer receive the customary new version announcements. Our hope is that this will result in fewer duplicate messages for everyone. Thank you, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ANNOUNCEMENT: New BIND versions are available.
On 4/12/13 3:46 PM, Michael McNally wrote: We've thought about it and decided that bind-announce is the suitable forum for these announcements and from now on we would like to send the announcement messages only to bind-announce. This will be a change in status for bind-users and bind-workers subscribers. For the next several releases we will also post to bind-users and bind-workers with a reminder message like this one so that members who are subscribed only to those lists will see that there are new versions, but we urge you to take a moment to subscribe to bind-users Please read that as we urge you to take a moment to subscribe to bind-announce The rest of the message, including the links below, reference the correct list. if you are not already receiving it. List traffic is minimal and consists almost exclusively of new version announcements and security advisories from ISC. You can subscribe to the bind-announce list by visiting: https://lists.isc.org/mailman/listinfo/bind-announce If you want to survey past list content without subscribing you can go to: https://lists.isc.org/pipermail/bind-announce/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.3b2 is now available
Introduction BIND 9.9.3b2 is the second beta release of BIND 9.9.3. This document summarizes changes from BIND 9.9.2 to BIND 9.9.3b2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. (CVE-2012-5689) [RT #32141] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] named -V can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the srcid file in the build tree and is normally set to the most recent git hash. [RT #31494] Response Policy Zone performance enhancements. New response-policy option min-ns-dots. nsip and nsdname now enabled by default with RPZ. [RT #32251] Now includes, in the community contribution section, a dynamically-loadable DLZ module: BDBHPT, contributed by Mark Goldfinch. [RT #32549] Bug Fixes Allow max-cache-size and max-acache-size to accept values greater than 4 gigabytes when built with 64-bit integers. unlimited still means 4 gigabytes - 1 and 0 still allows truly unlimited cache sizes. [RT #32358] Removed lock contention issues that slowed zone loading times for 9.9.x compared with 9.8.x. Zone loading times are now faster than they were with 9.8.x. [RT #30399] The zone-statistics option now takes three options: full, terse, and none. yes is now a synonym for full. no is now a synonym for terse, which is how it behaved in previous versions. [RT #29165] The default value for the number of UDP dispatchers is now either the number of CPUs or the number of worker threads, whichever is lower. The previous default was the number of worker threads. [RT #30964] Fixed a crash bug with the loading of incomplete configurations including a slave zone with inline-signing and without a file name. [RT #31946] Corrected dnssec-signzone and dnssec-verify behavior with opt-out delegations and NSEC3. [RT #32072] Fixed rendering issues for some statistics with the XML stats channel. [RT #32587] Prevent a crash-on-shutdown race condition. [RT #32777] Fixed glitch in displaying query data when configured with --enable-newstats and no queries have yet been received. [RT #32620] Fixed bug where expired slave zones could fail to rewrite the zone data file after the master is again available. [RT #31276] Fixed a potential crash when adding and deleting keys with rndc. [RT #32506] Fixed a possible crash with Diffie-Hellman generated TSIG keys. [RT #32649] Now supports NAPTR regular expression validation on all platforms. [RT #32688] Increased maximum allowed key size for some algorithms in ddns-confgen and rndc-confgen. [RT #32753] nsupdate could exit with an assertion when the local and remote address families didn't match. [RT #22897] Fixes some potential memory leaks with gssapi usage. [RT #32405] Fixes a couple of linked-list pointer
Announcements for latest beta releases delayed by accident.
With apologies to readers of this list: the announcement e-mails for BIND 9.6-ESV-R9b2, 9.8.5b2, and 9.9.3b2 were sent to the bind-announce list earlier this week but a typo in my shell script incorrectly prevented the bind-users and bind-workers lists from receiving the announcement at that time. The bind-announce list *is* the place to go for official announcements about BIND releases but since we have traditionally announced them in bind-users and bind-workers as well, I know some of you do not subscribe to the announce list. So for those who are just receiving this news -- new betas are available, have at them! Again, apologies for the oversight, Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.5b1 is now available
Introduction BIND 9.8.5b1 is the first beta release of BIND 9.8.5 This document summarizes changes from BIND 9.8.4 to BIND 9.8.5b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. [RT #32141] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [RT #31090] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] named -V can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the srcid file in the build tree and is normally set to the most recent git hash. [RT #31494] Bug Fixes dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719] Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749] ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927] Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625] Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778] Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237] Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012] Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682] Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329] When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230] The allow-query-on ACL is now processed correctly in all situations. [RT #29486] The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231] When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN. The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed. Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended. [RT #31848] Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSEC responses could fail to include the NSEC/NSEC3 records proving the lack of a better answer. [RT #21409] Prevents a named abort (assertion fail) during recovery
BIND 9.9.3b1 is now available
Introduction BIND 9.9.3b1 is the first beta release of BIND 9.9.3. This document summarizes changes from BIND 9.9.2 to BIND 9.9.3b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. [RT #32141] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] named -V can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the srcid file in the build tree and is normally set to the most recent git hash. [RT #31494] Bug Fixes dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719] Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749] ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927] Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625] Now only the programs that use the readline library will link with it (nslookup and nsupdate). [RT #29810] When using 'rndc addzone' of a zone with with 'inline-signing yes;' named will first load the unsigned version and then afterwards successfully create the signed version. (Prior to this fix, the addzone would fail). [RT #31960] dnssec-checkds now emits a clear message when records are not found. This change also fixes a minor reporting problem whereby dnssec-checkds incorrectly reported that no DS records had been found for a KSK, despite having found and listed one. In addition, errors in the man pages (referencing the wrong utility) have been remedied. [RT #31968] dnssec-dsfromkey now no longer puts legal whitespace in DS hashes in order to inter-operate better with some overly-strict registrars. [RT #31951] Addresses portability issues (encountered when testing on HPUX) and corrects rndc signing -nsec3param to accept the full range of possible values. [RT #31938] Named should no longer die on shutdown if running with 128 UDP dispatches per interface. [RT #31743] Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now accepted in slave zone definitions in named.conf when inline-signing is being used. [RT #31078] Addresses build problems encountered on NetBSD 6.0 (renames the 'bool' parameter to avoid a namespace clash). [RT #31515] When using the zone reload method of importing changes to named with in-line signing, changes to SOA record parameters (other than the serial number alone) in the un-signed zone will now trigger named to update the signed version of the zone. Prior to this fix, if SOA parameters were updated while the server was offline but without any changes also being made to other records
BIND 9.6-ESV-R9b1 is now available
Introduction BIND 9.6-ESV-R9b1 is the first beta release of BIND 9.6-ESV-R9. BIND 9.6-ESV is an Extended Support Version of BIND. This document summarizes changes from BIND 9.6-ESV-R8 to BIND 9.6-ESV-R9b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features None Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Bug Fixes Handle cases where a port is reserved and cannot be used as the source for a query. [RT #31778] Correct a case where a negative response could incorrectly be flagged as being DNSSEC authenticated when it was not actually authenticated. [RT #32237] Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Fix missing includes in testing support library that caused it to fail to build on some platforms. [RT #32012] Return correct error code (FORMERR) when presented with malformed requests containing overly long domain names. [RT #29682] Instead of rejecting and logging a FORMERR, named now accepts duplicate singleton records in a DNS query response. (In some situations, query responses may contain duplicates - and whilst this is not technically correct, BIND has been updated to be more tolerant). [RT #32329] When named allocates an initial per-thread stack size, it first checks the operating system's default value, and if specified, uses that. In the situation where it appears that none is provided, it uses an internal default. This default has been increased from 64K to 1M to accommodate operating systems that require a larger initial stack. [RT #32230] The allow-query-on ACL is now processed correctly in all situations. [RT #29486] The configure script now supports and detects libxml2-2.9.x correctly. [RT #32231] When loading a zone file, named now emits a warning if it encounters a non-blank owner name following $ORIGIN. The reason for this is that when parsing a zone file, the blank owner name indicates that the current name (i.e. the name from the previous record that named loaded) should be used, even though $ORIGIN has changed. Particularly when handling subdomains, this can result in those records being unexpectedly loaded with different labels than intended. [RT #31848] Resolves a problem that when answering queries for nonexistent names via wildcard CNAME records, DNSSEC responses could fail to include the NSEC/NSEC3 records proving the lack of a better answer. [RT #21409] Prevents a named abort (assertion fail) during recovery from an out of memory condition. This crash would be encountered in module general: dst_api.c and logged as REQUIRE((key-refs)-refs == 0). [RT #32131] A new configure option --with-ecdsa has been added to force building with ECDSA, bypassing the script-based checks that this functionality is available in the build environment. The converse, --without-ecdsa, explicitly disables ECDSA support during the BIND build. Both of these options have been added to assist cross-compilation to environments that do (or don't) support ECDSA, overriding the default build behaviour. [RT #32078] XML statistics generated by Windows builds contained incorrectly formatted boot-time and current-time values. [RT #32044] dig now prints the timezone as part of the timestamp in the WHEN line of the output. [RT #2269] Fixes a race condition in acache.c that could cause named to crash if the
CVE-2012-5689: BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
ISC has learned of the potential for an error condition in BIND 9 that can cause a nameserver to terminate with an assertion failure when processing queries if it has been configured to use both DNS64 and Response Policy Zones (RPZ). CVE: CVE-2012-5689 Document Version: 2.0 Posting date: 24 January 2013 Program Impacted: BIND 9 Versions affected: 9.8.0-9.8.4-P1, 9.9.0-9.9.2-P1 Severity: Low Exploitable: Remotely Description: An error condition may occur when a nameserver which is configured to use DNS64 performs a lookup for a record with an A record rewrite rule in a Response Policy Zone (RPZ.) If the RPZ is unable to provide a record for the name, but does provide a rewritten A record, then the DNS64 processing code will attempt to remap that A record into a record. Due to a coding error, this interaction between the RPZ database and the DNS64 remapping code can cause the named process to terminate with an assertion failure. ISC believes the number of deployed systems that are using RPZ rewrite rules and also using DNS64 is extremely small; furthermore, the problem has an easy workaround (see below). However, ISC policy calls for disclosure of any potential vulnerability in BIND 9, regardless of how rarely the conditions for such a vulnerability may occur in production environments. Thus, despite the CVSS score, we assess the severity as Low, and will integrate the bug fix into the next beta release of the affected versions. No security patch release versions are planned, as the workaround is simple and affords complete protection. To prevent accidental exposure of those using these features in combination, future versions of BIND 9 will include code to prevent any exploitation of this bug, beginning with beta versions scheduled to be released on January 24, 2013. However, the suggested workaround is a complete remedy for those who are using DNS64 in conjunction with RPZ, and is recommended in preference to running beta code in a production environment. Impact: Only nameservers that are configured to use both DNS64 and Response Policy Zones, and which are maintaining A rewrite rules but not rewrite rules, will be affected by this problem - in other words, only systems that are using RPZ to rewrite DNS records into A records, then attempting to remap those same A records into via DNS64. Systems that only use RPZ to generate NXDOMAIN or CNAME or NOERROR/NODATA responses, or to rewrite other resource record types besides A, will not trigger the bug. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workaround: If using DNS64 and Response Policy Zones together, make sure the RPZ contains a rewrite rule for every A rewrite rule. If the RPZ provides a answer without the assistance of DNS64, the bug is not triggered. Active exploits: None Solution: If you are currently running one of the affected versions, you have the following options: 1. Employ the workaround (see above). 2. Wait for BIND releases that include a fix preventing possible exploitation of the bug. Acknowledgements: ISC would like to thank Pories Ediansyah of Institut Teknologi Bandung for bringing this defect to our attention. Document Revision History: 1.0 - 17 January 2013 Advance Notification to Phase One. 1.1 - 23 January 2013 Notification to Phase Two and Phase Three 2.0 - 24 January 2013 Notification to Phase Four (Public) Related Documents: See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected. https://www.isc.org/software/bind/security/matrix If you'd like more information on our Forum or product support please visit www.isc.org/software/guild or www.isc.org/support. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org Note: ISC patches only currently supported versions: http://www.isc.org/software/bind/versions. When possible we indicate EOL versions affected. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found at: https://www.isc.org/security-vulnerability-disclosure-policy This Knowledge Base article https://kb.isc.org/article/AA-00855 is the complete and official security advisory document. There is also a summary article located on our website and linking to here: https://www.isc.org/software/bind/advisories/cve-2012-5689. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an
ISC Security Advisory: BIND 9 servers using DNS64 can be crashed by a crafted query
A specific query can cause BIND nameservers using DNS64 to exit with a REQUIRE assertion failure. CVE: CVE-2012-5688 Document Version:2.0 Posting date:04 Dec 2012 Program Impacted:BIND Versions affected: 9.8.0-9.8.4, 9.9.0-9.9.2 Severity:Critical Exploitable: Remotely Description: BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers. Please Note: Support for DNS64 was added to BIND 9 in version 9.8.0. Therefore BIND 9 versions prior to 9.8.0 cannot be affected by this bug. Also, nameservers running versions 9.8.0 and greater can only be affected if DNS64 is turned on using the dns64 configuration statement. If you are not using DNS64 you are not at risk. For current information on which versions are actively supported, please see http://www.isc.org/software/bind/versions. Impact: Any BIND 9 nameserver configured to use DNS64 is vulnerable to this defect and can be crashed by any client machine from which it accepts queries. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: Only BIND 9 servers which are configured to use DNS64 are vulnerable. For those servers, disallowing queries from untrusted clients (a recommended practice in any case) will slightly mitigate a server's exposure, but no workarounds are available which will completely protect an affected server against exploitation of this bug. If you are using DNS64 either disable it or upgrade to a fixed version. Active exploits: No known active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads/all. BIND 9 version 9.8.4-P1 BIND 9 version 9.9.2-P1 Acknowledgements: ISC would like to thank BlueCat Networks for bringing this defect to our attention. Document Revision History: 1.0 - 27 November 2012 Advance Notification to Phase One. 1.1 - 03 December 2012 Notification to Phase Two and Phase Three 2.0 - 04 December 2012 Notification to Phase Four (Public) Related Documents: Japanese Translation: https://kb.isc.org/article/AA-00832 Spanish Translation: https://kb.isc.org/article/AA-00834 German Translation: https://kb.isc.org/article/AA-00833 See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected. http://www.isc.org/software/bind/security/matrix If you'd like more information on our Forum or product support please visit www.isc.org/software/guild or www.isc.org/support. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy This Knowledge Base article https://kb.isc.org/article/AA-00828 is the complete and official security advisory document. There is also a summary article located on our website and linking to here: https://www.isc.org/software/bind/advisories/cve-2012-5688 Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an AS IS basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.2-P1 is now available
Introduction BIND 9.9.2-P1 is a security-fix release, superceding BIND 9.9.2 as the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.1 to BIND 9.9.2-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 #30233] New Features Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Introduces a new tool dnssec-checkds command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] Introduces a new tool dnssec-verify that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] Adds configuration option max-rsa-exponent-size value; that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes Improves OpenSSL error logging [RT #29932] nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes Uses binary mode to open raw files on Windows. [RT #30944] When using DNSSEC inline signing with rndc signing -nsec3param, a salt value of - can now be used to indicate 'no salt'. [RT #30099] Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241] Static-stub zones now accept forward and fowarders options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type static-stub was an inadvertent oversight. [RT #30482] Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] Improves OpenSSL error logging [RT #29932] The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] The host command should no longer assert on some architectures and builds
BIND 9.8.4-P1 is now available
Introduction BIND 9.8.4-P1 is a security-fix release, superceding BIND 9.8.4 as the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.3 to BIND 9.8.4-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (Note that this fix is a subset of a series of updates that will be included in full in BIND 9.8.5 and 9.9.3 as change #3388, RT #30996). [CVE-2012-5688] [RT #30792] A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes Improves OpenSSL error logging [RT #29932] nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes Uses binary mode to open raw files on Windows. [RT #30944] Static-stub zones now accept forward and fowarders options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type static-stub was an inadvertent oversight. [RT #30482] Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] Removes spurious newlines from log messages in zone.c [RT #30675] When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872] Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent
BIND 9.7.7 is now available
Introduction BIND 9.7.7 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.6 to BIND 9.7.7. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features * None Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes * Uses binary mode to open raw files on Windows. [RT #30944] * Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] * The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] * The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] * Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] * Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] * Removes spurious newlines from log messages in zone.c [RT #30675] * When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] * Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] * Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] * dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] * Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] * It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] * Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] * Upper-case/lower-case handling of RRSIG signer-names is
BIND 9.9.2 is now available
Introduction BIND 9.9.2 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.1 to BIND 9.9.2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [CVE-2012-5166] [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [CVE-2012-4244] [RT #30416] * Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 #30233] New Features * Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] * Introduces a new tool dnssec-checkds command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] * Introduces a new tool dnssec-verify that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] * Adds configuration option max-rsa-exponent-size value; that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes * Improves OpenSSL error logging [RT #29932] * nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes * Uses binary mode to open raw files on Windows. [RT #30944] * When using DNSSEC inline signing with rndc signing -nsec3param, a salt value of - can now be used to indicate 'no salt'. [RT #30099] * Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241] * Static-stub zones now accept forward and fowarders options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type static-stub was an inadvertent oversight. [RT #30482] * Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] * Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] * Improves OpenSSL error logging [RT #29932] * The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] * The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] * Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] * Removes spurious newlines from log messages in zone.c [RT #30675] * When built
BIND 9.9.1-P4 is now available
Introduction BIND 9.9.1-P4 is the latest production release of BIND 9.9.1 (BIND 9.9.2 is also available for download and is the latest production release of BIND 9.9). This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P4. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] * Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] * ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [RT #29539 #30233] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible
BIND 9.8.3-P4 is now available
Introduction BIND 9.8.3-P4 is the latest production release of BIND 9.8.3 (BIND 9.8.4 is also available for download and is the latest production release of BIND 9.8). This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P4. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] * Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.6-P4 is now available
Introduction BIND 9.7.6-P4 is the latest production release of BIND 9.7.6 (BIND 9.7.7 is also available for download, and is the latest production release of BIND 9.7). This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P4. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [RT #31090] * Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] * Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig. [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 10.in-addr.arpa Forwarder Zone
On 9/28/12 9:38 AM, Michael McNally wrote: Empty zone behavior has changed in 9.9, and the 10.0.0.0/8 zone is part of the changes. You can find a good explanation of the differences in this ISC Knowledge Base article: https://deepthought.isc.org/article/AA-00804 Oh drat -- that's the wrong empty zone article. The information you want is in *this* article: https://deepthought.isc.org/article/AA-00803 Please forgive my error.. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6-ESV-R7-P3 is now available
On 9/13/12 3:03 PM, Michael McNally wrote: BIND 9.8 will be the next version to become an Extended Support Version and will be supported for several years hence. BIND 9.8 is stable, reasonably mature, and will be supported with some feature improvements and all bug fixes. I erred when composing this response to list user pangj. Actually BIND 9.9 will be the basis for the next sequence of Extended Support Versions. BIND 9.8 is scheduled to continue to receive support and improvements and no End of Life date has been announced for it (for full details, see: https://www.isc.org/software/bind/versions ) but going forward, BIND 9.9 is going to be the basis for the next ESV. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6-ESV-R7-P3 is now available
On 9/13/12 2:01 AM, pangj wrote: Should we use the latest 9.9 version of BIND instead of others 9.x? At the current moment, ISC develops and provides patches for four different version sequences of BIND 9: BIND 9.6-ESV BIND 9.7 BIND 9.8 BIND 9.9 They are intended to serve slightly different functions for different users. BIND 9.6-ESV is an Extended Support Version of BIND (as indicated by the -ESV suffix. Though 9.6 is no longer being actively developed, ISC made a commitment to continue supporting the existing code with security patches and bug fixes through March 2013. BIND 9.7 is about to reach its End of Life (aka EOL.) It was originally predicted to reach its final version in August 2012, after which it would receive no more updates (except possibly in very unusual circumstances.) Its EOL has been pushed back to this month, but when BIND 9.7.7 comes out (before the end of this month) that is expected to be the final release version of BIND 9.7. Consequently you should not now be changing to the 9.7 line but if you are on 9.7 you can upgrade to 9.7.6-P3 or 9.7.7 while you make plans to migrate to 9.8 or 9.9. BIND 9.8 will be the next version to become an Extended Support Version and will be supported for several years hence. BIND 9.8 is stable, reasonably mature, and will be supported with some feature improvements and all bug fixes. And BIND 9.9 is the version which is currently receiving the most development effort for new features and functionality. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.1-P3 is now available
Introduction BIND 9.9.1-P3 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [RT #29539 #30233] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features None Feature Changes BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] Improves DNS64 reverse zone performance. [RT #28563] Adds wire format lookup method to sdb. [RT #28563] Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] Prevents intermittent named crashes following an rndc reload [RT #28606] Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] Fixed a build error on systems without ENOTSUP. [RT #28200] The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] responses will no longer be returned in the additional section
BIND 9.6-ESV-R7-P3 is now available
Introduction BIND 9.6-ESV-R7-P3 is the latest production release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features None Feature Changes BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] The tests on random jitter values that are used when handling zone refreshes have been relaxed. Prior to this change named could terminate unexpectedly when processing stub zones. [RT# 19821] The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.6-P3 is now available
Introduction BIND 9.7.6-P3 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features None Feature Changes BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.3-P3 is now available
Introduction BIND 9.8.3-P3 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents a named assert (crash) when queried for a record whose RDATA exceeds 65535 bytes. [RT #30416] Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] New Features None Feature Changes BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] Improves DNS64 reverse zone performance. [RT #28563] Adds wire format lookup method to sdb. [RT #28563] Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ISC Security Advisory: A Specially Crafted Resource Record Could Cause named to Terminate
Note: This email advisory is provided for your information. The most up to date advisory information will always be at: https://kb.isc.org/article/AA-00778 please use this URL for the most up to date advisory information. --- CVE-2012-4244: A specially crafted Resource Record could cause named to terminate A nameserver can be caused to exit with a REQUIRE exception if it can be induced to load a specially crafted resource record. CVE: CVE-2012-4244 Document Version: 2.0 Posting date: 12 September 2012 Program Impacted: BIND Versions affected: 9.0.x - 9.6.x, 9.4-ESV-9.4-ESV-R5-P1, 9.6-ESV-9.6-ESV-R7-P2, 9.7.0-9.7.6-P2, 9.8.0-9.8.3-P2, 9.9.0-9.9.1-P2 Severity: Critical Exploitable: Remotely Description: If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a subsequent query for that record will cause named to exit with an assertion failure. Please Note: Versions of BIND 9.4 and 9.5 are also affected, but these branches are beyond their end of life (EOL) and no longer receive testing or security fixes from ISC. For current information on which versions are actively supported, please see http://www.isc.org/software/bind/versions. Impact: This vulnerability can be exploited remotely against recursive servers by inducing them to query for records provided by an authoritative server. It affects authoritative servers if a zone containing this type of resource record is loaded from file or provided via zone transfer. CVSS Score: 7.8 CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Workarounds: None are known at this time. Active exploits: No known active exploits. Solution: Upgrade to the patched version or new release most closely related to your current version of BIND. The patched versions (-P3) of BIND can be downloaded from http://www.isc.org/downloads/all. The new release versions will be available within the next week. BIND 9 version 9.7.7, 9.7.6-P3 BIND 9 version 9.6-ESV-R8, 9.6-ESV-R7-P3 BIND 9 version 9.8.4, 9.8.3-P3 BIND 9 version 9.9.2, 9.9.1-P3 Document Revision History: 1.0 - 4 Sept., 2012 Advance Notification to Phase 1 1.1 - 6 Sept. 2012 Corrected error in Description (65535 bytes) 1.2 - 11 Sept. 2012 Phase 2 3 notified 2.0 - 12 Sept. 2012 Phase 4 - Public Released Related Documents: See our BIND Security Matrix for a complete listing of Security Vulnerabilities and versions affected. If you'd like more information on our Forum or product support please visit www.isc.org/software/guild or www.isc.org/support. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy The Knowledge Base article https://kb.isc.org/article/AA-00778 is the complete and official security advisory document. There is also a summary article located on our website and linking to here: https://www.isc.org/software/bind/advisories/cve-2012-4244 Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an AS IS basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.2rc1 is now available
Introduction BIND 9.9.2rc1 is the first release candidate of BIND 9.9.2. This document summarizes changes from BIND 9.9.1 to BIND 9.9.2rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] - ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 #30233] New Features - Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] - Introduces a new tool dnssec-checkds command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] - Introduces a new tool dnssec-verify that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] - Adds configuration option max-rsa-exponent-size value; that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - When using DNSSEC inline signing with rndc signing -nsec3param, a salt value of - can now be used to indicate 'no salt'. [RT #30099] - Prevents race conditions (address use after free) that could be encountered when named is shutting down and releasing structures used to manage recursive clients. [RT #30241] - Static-stub zones now accept forward and fowarders options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type static-stub was an inadvertent oversight. [RT #30482] - Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] - Improves OpenSSL error logging [RT #29932] - The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] - The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] - Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] - Removes spurious newlines from log messages in zone.c [RT #30675] - When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] - All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing
BIND 9.8.4rc1 is now available
Introduction BIND 9.8.4rc1 is the first release candidate of BIND 9.8.4 This document summarizes changes from BIND 9.8.3 to BIND 9.8.4rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - Static-stub zones now accept forward and fowarders options (often needed for subdomains of the zone referenced to override global forwarding options). These options are already available with traditional stub zones and their omission from zones of type static-stub was an inadvertent oversight. [RT #30482] - Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] - The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] - The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] - Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] - Removes spurious newlines from log messages in zone.c [RT #30675] - When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] - All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872] - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive
BIND 9.6-ESV-R8rc1 is now available
Introduction BIND 9.6-ESV-R8rc1 is the first release candidate of BIND 9.6-ESV-R8. BIND 9.6-ESV is an Extended Support Version of BIND. This document summarizes changes from BIND 9.6-ESV-R7 to BIND 9.6-ESV-R8rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - None Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] - The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] - Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] - Removes spurious newlines from log messages in zone.c [RT #30675] - When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - The tests on random jitter values that are used when handling zone refreshes have been relaxed. Prior to this change named could terminate unexpectedly when processing stub zones. [RT# 29821] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] - Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
BIND 9.7.7rc1 is now available
Introduction BIND 9.7.7rc1 is the first release candidate of BIND 9.7.7 This document summarizes changes from BIND 9.7.6 to BIND 9.7.7rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - None Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - Limits the TTL of signed RRsets in cache when their RRSIGs are approaching expiry. This prevents the persistence in cache of invalid RRSIGs in order to assist recovery from a situation where zone re-signing doesn't occur in a timely manner. With this change, named will attempt to obtain new RRSIGs from the authoritative server once the original ones have expired, and even if the TTL of the old records would in other circumstances cause them to be kept in cache for longer. [RT #26429] - The configure script now supports and detects libxml2-2.8.x correctly [RT #30440] - The host command should no longer assert on some architectures and builds while handling the time values used with the -w (wait forever) option. [RT #18723] - Invalid zero settings for max-retry-time, min-retry-time, max-refresh-time, min-refresh-time will now be detected during parsing of named.conf and an error emitted instead of triggering an assertion failure on startup. [RT #27730] - Corrects the syntax of isc_atomic_xadd() and isc_atomic_cmpxchg() which are employed on Itanium systems to speed up lock management by making use of atomic operations. Without the syntax correction it is possible that concurrent access to the same structures could accidentally occur with unpredictable results. [RT #25181] - Removes spurious newlines from log messages in zone.c [RT #30675] - When built with readline support (i.e. on a system with readline installed) nsupdate no longer terminates unexpectedly in interactive mode. [RT #29550] - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] - Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make
BIND 9.7.7b1 is now available
Introduction BIND 9.7.7b1 is the first beta release of BIND 9.7.7 This document summarizes changes from BIND 9.7.6 to BIND 9.7.7b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - None Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] - Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.4b1 is now available
Introduction BIND 9.8.4b1 is the first beta release of BIND 9.8.4 This document summarizes changes from BIND 9.8.3 to BIND 9.8.4b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872] - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] - Corrects a failure to authenticate non-existence of resource records in some circumstances when RPZ has been configured. Also: + adds an optional recursive-only yes|no to the response-policy statement + adds an optional max-policy-ttl to the response-policy statement to limit the false data that recursive-only no can introduce into resolvers' caches + introduces a predefined encoding of PASSTHRU policy by adding rpz-passthru to be used as the target of CNAME policy records (the old encoding is still accepted.) + adds a RPZ performance test to bin/tests/system/rpz when queryperf is available. [RT #26172] - Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit
BIND 9.6-ESV-R8b1 is now available
Introduction BIND 9.6-ESV-R8b1 is the first beta release of BIND 9.6-ESV-R8. BIND 9.6-ESV is an Extended Support Version of BIND. This document summarizes changes from BIND 9.6-ESV-R7 to BIND 9.6-ESV-R8b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] New Features - None Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - The tests on random jitter values that are used when handling zone refreshes have been relaxed. Prior to this change named could terminate unexpectedly when processing stub zones. [RT# 29821] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by re-using cached DS and RRSIG rrsets when possible [RT #29446] - Upper-case/lower-case handling of RRSIG signer-names is now handled consistently: RRSIG records are generated with the signer-name in lower case. They are accepted with any case, but if they fail to validate, we try again in lower case. [RT #27451] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.2b1 is now available
Introduction BIND 9.9.2b1 is the first beta release of BIND 9.9.2. This document summarizes changes from BIND 9.9.1 to BIND 9.9.2b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - Prevents a named assert (crash) when validating caused by using Bad cache data before it has been initialized. [CVE-2012-3817] [RT #30025] - A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [CVE-2012-1667] [RT #29644] - ISC_QUEUE handling for recursive clients was updated to address a race condition that could cause a memory leak. This rarely occurred with UDP clients, but could be a significant problem for a server handling a steady rate of TCP queries. [CVE-2012-3868] [RT #29539 #30233] New Features - Elliptic Curve Digital Signature Algorithm keys and signatures in DNSSEC are now supported per RFC 6605. [RT #21918] - Introduces a new tool dnssec-checkds command that checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] - Introduces a new tool dnssec-verify that validates a signed zone, checking for the correctness of signatures and NSEC/NSEC3 chains. [RT #23673] - Adds configuration option max-rsa-exponent-size value; that can be used to specify the maximum rsa exponent size that will be accepted when validating [RT #29228] Feature Changes - Improves OpenSSL error logging [RT #29932] - nslookup now returns a nonzero exit code when it is unable to get an answer. [RT #29492] Bug Fixes - All named tasks that perform task-exclusive operations now share the same single task. Prior to this change, there was the possibility of a race condition between rndc operations and other functions such as re-sizing the adb hash table. If the race condition was encountered, named would in most cases terminate unexpectedly with an assert. [RT #29872] - Ensures that servers are expired from the ADB cache when the timeout limit is reached so that their learned attributes can be refreshed. Prior to this change, servers that were frequently queried might never have their entries removed and reinitialized. This is of particular importance to DNSSEC-validating recursive servers that might erroneously set no-edns for an authoritative server following a period of intermittent connectivity. [RT #29856] - Adds additional resilience to a previous security change (3218) by preventing RRSIG data from being added to cache when a pseudo-record matching the covering type and proving non-existence exists at a higher trust level. The earlier change prevented this inconsistent data from being retrieved from cache in response to client queries - with this additional change, the RRSIG records are no longer inserted into cache at all. [RT #26809] - dnssec-settime will now issue a warning when the writing of a new private key file would cause a change in the permissions of the existing file. [RT #27724] - Fixes the defect introduced by change #3314 that was causing failures when saving stub zones to disk (resulting in excessive CPU usage in some cases). [RT #29952] - Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100] - It is now possible to using multiple control keys again - this functionality was inadvertently broken by change #3924 (RT #28265) which addressed a memory leak. [RT #29694] - Named now holds a zone table reference while performing an asynchronous load of a zone. This removes a race condition that could cause named to crash when zones are added using rndc addzone or by manually editing named's configuration file followed by rndc reconfig/reload. [RT #28326] - Setting resolver-query-timeout too low could cause named problems recovering after a loss of connectivity. [RT #29623] - Reduces the potential build-up of stale RRsets in cache on a busy recursive nameserver by
BIND 9.7.6-P1 is now available
Introduction BIND 9.7.6-P1 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.1-P1 is now available
Introduction BIND 9.9.1-P1 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] * Fixed a build error on systems without ENOTSUP. [RT #28200] * The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] * responses will no longer be returned in the additional section when filter--on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing
BIND 9.8.3-P1 is now available
Introduction BIND 9.8.3-P1 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available at http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6-ESV-R7-P1 is now available
Introduction BIND 9.6-ESV-R7-P1 is the most recent release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7-P1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.1c New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.1 is now available
Introduction BIND 9.9.1 is the latest production release of BIND 9.9. This document summarizes changes from BIND 9.9.0 to BIND 9.9.1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] * A note will be added to the README in future releases to explain that the improved scalability provided by using multiple threads to listen for and process queries (change 3137, RT #22992) does not provide any performance benefit when running BIND on versions of the linux kernel that do not include the 'lockless UDP transmit path' changes that were incorporated in 2.6.39. (Some linux distributors may have provided this functionality under their own version numbering systems). Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Prevents intermittent named crashes following an rndc reload [RT #28606] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] * Prevents named crashes as a result of dereferencing a NULL pointer in zmgr_start_xfrin_ifquota if the zone was being removed while there were zone transfers still pending [RT #28419] * Corrects a parser bug that could cause named to crash while reading a malformed zone file. [RT #28467] * Ensures that when a client recurses its status fields are consistently set so that named doesn't fail on an INSIST in client.c:exit_check. [RT #28346] * Fixed a problem preventing proper use of 64 bit time values in libbind. [RT # 26542] * isccc/cc.c:table_fromwire could fail to free an allocated object on error, leading to a possible memory leak condition. [RT #28265] * Fixed a build error on systems without ENOTSUP. [RT #28200] * The header file isc/hmacsha.h is now installed when building BIND. [RT #28169] * responses will no longer be returned in the additional section when filter--on-v4 is in use. (Prior to this change, they would be returned for some query types). [RT #27292] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.3 is now available
Introduction BIND 9.8.3 is the latest production release of BIND 9.8. This document summarizes changes from BIND 9.8.2 to BIND 9.8.3. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available at http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * named-checkconf now correctly validates dns64 clients acl definitions. [RT #27631] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Improves DNS64 reverse zone performance. [RT #28563] * Adds wire format lookup method to sdb. [RT #28563] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.7.6 is now available
Introduction BIND 9.7.6 is the latest production release of BIND 9.7. This document summarizes changes from BIND 9.7.5 to BIND 9.7.6. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * Resolves inconsistencies in locating DNSSEC keys where zone names contain characters that require special mappings [RT #28600] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6-ESV-R7 is now available
Introduction BIND 9.6-ESV-R7 is the most recent release of BIND 9.6-ESV. BIND 9.6-ESV is an Extended Support Version of BIND 9. This document summarizes changes from BIND 9.6-ESV-R6 to BIND 9.6-ESV-R7. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes * Windows binary packages distributed by ISC are now built and linked against OpenSSL 1.0.0i New Features * None Feature Changes * BIND now recognizes the TLSA resource record type, created to support IETF DANE (DNS-based Authentication of Named Entities) [RT #28989] Bug Fixes * The locking strategy around the handling of iterative queries has been tuned to reduce unnecessary contention in a multi-threaded environment. (Note that this may not provide a measurable improvement over previous versions of BIND, but it corrects the performance impact of change 3309 / RT #27995) [RT #29239] * Addresses a race condition that can cause named to to crash when the masters list for a zone is updated via rndc reload/reconfig [RT #26732] * Fixes a race condition in zone.c that can cause named to crash during the processing of rndc delzone [RT #29028] * Prevents a named segfault from resolver.c due to procedure fctx_finddone() not being thread-safe. [RT #27995] * Uses hmctx, not mctx when freeing rbtdb-heaps to avoid triggering an assertion when flushing cache data. [RT #28571] * A new flag -R has been added to queryperf for running tests using non-recursive queries. It also now builds correctly on MacOS version 10.7 (darwin) [RT #28565] * Named no longer crashes if gssapi is enabled in named.conf but was not compiled into the binary [RT #28338] * SDB now handles unexpected errors from back-end database drivers gracefully instead of exiting on an assert. [RT #28534] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. (c) 2001-2012 Internet Systems Consortium ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0
Operational Notification -- Segmentation Fault in resolver.c Affects BIND 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0 Summary: ISC has discovered a race condition in the resolver code that can cause a recursive nameserver running BIND 9.6-ESV-R6, 9.7.5, 9.8.2, or 9.9.0 to crash with a segmentation fault. Authoritative-only servers are not affected, but recursive-only or recursive-authoritative hybrid servers are at risk of crashing because of this bug. Posting date: 30 April 2012 Program Impacted: BIND Versions affected: 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0. Description: ISC is issuing an operational notification for users running ISC BIND 9.6-ESV-R6, 9.7.5, 9.8.2 or 9.9.0. A race condition has been discovered in resolver.c that can result in a recursive nameserver running one of these versions to crash with a segmentation fault. This defect is not considered a security issue, as no known method for deliberately triggering it exists. It depends on a matter of random timing between multiple threads executing the resolver code. However, the nature of the bug is such that the probability of encountering the crash condition eventually increases in proportion to the number of queries being resolved as well as the number of queries being resolved simultaneously. Consequently, busy recursing nameservers and nameservers with more threads processing simultaneously are at higher risk of encountering this bug. This defect was introduced accidentally in change #3241 which appeared for the first time in the specified release versions. Prior release versions (9.6-ESV-R5-P1, 9.7.4-P1, and 9.8.1-P1 and any earlier versions) are not affected by this bug. ISC is preparing replacement release versions with a delivery target of mid-May 2012 and a source code patch is currently available in the ISC Knowledge Base article: https://kb.isc.org/article/AA-00664 Solution: Authoritative-only servers do not need to address this issue. If you have not upgraded yet to the affected versions, postpone updating until they are replaced by 9.6-ESV-R7, 9.7.6, 9.8.3, or 9.9.1, which are to be released in mid-May 2012 and which will include a fix for this issue along with several minor bug fixes. If you have already upgraded a recursive server to one of the affected versions, you have the option of reverting to a prior release version, waiting for the May release of superseding packages including the fix, or applying the source code patch from ISC and rebuilding BIND. The source code patch can be found as an attachment to the ISC Knowledge Base article https://kb.isc.org/article/AA-00664 - Do you have Questions? Questions regarding this advisory should go to supp...@isc.org. - Additional information on our Operational Notifications is here: https://www.isc.org/software/notifications, and Phased Disclosure Process is here: https://www.isc.org/security-vulnerability-disclosure-policy Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an AS IS basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6-ESV-R6rc2 is now available
Introduction BIND 9.6-ESV-R6rc2 is the second release candidate for BIND 9.6-ESV-R6. This document summarizes changes from BIND 9.6-ESV-R5 to BIND 9.6-ESV-R6rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.6-ESV-R6rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Previously included in 9.6-ESV-R6rc1 + Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.6-ESV-R6rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as unexpected error - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] Previously included in 9.6-ESV-R6rc1 + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] + Addresses a selection of minor resource leaks (that were identified via code checking tools but which have not been reported from any production environments). [RT #26624] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an
BIND 9.7.5rc2 is now available
Introduction BIND 9.7.5rc2 is the second release candidate for BIND 9.7.5. This document summarizes changes from BIND 9.7.4 to BIND 9.7.5rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.7.5rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Previously included in 9.7.5rc1 + It is now possible to explicitly disable DLV in named.conf by specifying dnssec-lookaside no;. This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.7.5rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as unexpected error - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when rndc reconfig is issued if auto-dnssec maintain is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + responses could be returned in the additional section even when filter--on-v4 was in use. [RT #27292] Previously included in 9.7.5rc1 + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the
BIND 9.8.2rc2 is now available
Introduction BIND 9.8.2rc2 is the second release candidate for BIND 9.8.2. This document summarizes changes from BIND 9.8.1 to BIND 9.8.2rc2. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Previously included in 9.8.2rc1 + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes Newly added in 9.8.2rc2 + RPZ implementation now conforms to version 3 of the specification. [RT #27316] Previously included in 9.8.2rc1 + It is now possible to explicitly disable DLV in named.conf by specifying dnssec-lookaside no;. This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes Newly added in 9.8.2rc2 + Corrects a potential overflow problem in the computation of RRSIG expiration times. [RT #23311] + The maximum number of NSEC3 iterations for a DNSKEY RRset was not being properly computed. [RT #26543] + Error reporting has been improved for failures encountered when sending or receiving network packets. In particular some memory allocation failures were being logged as unexpected error - these will now be reported accurately. A new ISC_R_UNSET result code has also been added to cover those situations where there is no error code returned by the OS sockets implementation. [RT #27336] + Corrects an INSIST failure by addressing race conditions in the handling of rbtnode.deadlink. [RT #27738] + SOA refresh queries could be treated as cancelled despite succeeding over the loopback interface. [RT #27782] + When replacing an NS RRset, BIND now restricts the TTL of the new NS RRset to no more than that of the NS RRset it replaces to fix a timing problem that can arise when removing a delegation. [RT #27792/27884] + Raw zones with with more than 512 records in a RRset previously failed to load. [RT #27863] + Make sure automatic key maintenance is started when rndc reconfig is issued if auto-dnssec maintain is turned on. [RT #26805] + Windows builds are now restricted to a single listener thread until incompatibility with the multiple listeners code can be addressed [RT #27696] + responses could be returned in the additional section even when filter--on-v4 was in use. [RT #27292] + An error handling an out of memory condition could cause a stored rdataset to be freed twice using DNS64. [RT #27762] Previously included in 9.8.2rc1 + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND.
BIND 9.9.0 is now available
Introduction BIND 9.9.0 is the first production release of BIND 9.9. This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. New Features The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] Improves scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] dnssec-signzone -R forces removal of signatures that are not expired but were created by a key which no longer exists. [RT #22471] dnssec-signzone -X option allows signatures on DNSKEY records to have a different expiration date from other signatures. This makes it
BIND 9.9.0rc4 is now available
Introduction BIND 9.9.0rc4 is the fourth release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc4 no new security fixes have been added New Features new in 9.9.0rc4 no new features have been added previously included in 9.9.0rc3 NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] dnssec-signzone -R forces removal of signatures that are not expired but were created by a key which no longer
BIND 9.9.0rc3 is now available
Introduction BIND 9.9.0rc3 is the third release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc3 no new security fixes have been added New Features new in 9.9.0rc3 no new features have been added previously included in 9.9.0rc2 NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT #22896] dnssec-signzone -R forces removal of signatures that are not expired but were created by a key which no longer
PLEASE READ: An Important Security Announcement from ISC
PLEASE READ: An important security announcement from ISC ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability that potentially allows a party to keep a domain name in the cache even after that domain name has been expired ISC is evaluating the risk of this vulnerability, but his published paper shows how this was demonstrated, live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable. All BIND 9 versions are currently considered vulnerable. A more detailed description of this vulnerability and ISC's planned response can be found at: https://www.isc.org/software/bind/advisories/cve-2012-1033 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.0rc2 is now available
Introduction BIND 9.9.0rc2 is the second release candidate for BIND 9.9.0 This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes new in 9.9.0rc2 - no new security fixes have been added since 9.9.0rc1 previously included in 9.9.0rc1 - BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] New Features new in 9.9.0rc2 - no wholly new features have been added since 9.9.0rc1 previously included in 9.9.0rc1 - NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] - Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] - Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] - Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] - Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] - The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] - rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] - rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] - The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] - The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] - auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] - The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did
BIND 9.7.5rc1 is now available
Introduction BIND 9.7.5rc1 is the first release candidate of BIND 9.7.5. This document summarizes changes from BIND 9.7.4 to BIND 9.7.5rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + It is now possible to explicitly disable DLV in named.conf by specifying dnssec-lookaside no;. This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the unreachable list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby rndc dumpdb could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone task per 100 zones at startup time. [RT #25541] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named
BIND 9.8.2rc1 is now available
Introduction BIND 9.8.2rc1 is the first release candidate of BIND 9.8.2. This document summarizes changes from BIND 9.8.1 to BIND 9.8.2rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + It is now possible to explicitly disable DLV in named.conf by specifying dnssec-lookaside no;. This is the default, but the ability to configure it makes it clearly visible to administrators. [RT #24858] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + Prevents DNSKEY state change events from being missed by ensuring that the timestamps used to determine which keys are in use are set appropriately. [RT #26874] + When processing a list of keys, named now consistently compares them with the same timestamp. [RT #26883] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + Poor error handling could cause named to hang during shutdown. [RT #26372] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + Fixes a problem with the computation of tags for revoked keys. [RT #26186] + Corrects a problem with change #3186. dns_db_rpz_findips() could fail to set the database version correctly, causing an assertion failure. [RT #26180] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the unreachable list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Fixes a bug in zone.c where failure to delete signatures could lead to an assertion failure and subsequent abort. [RT #25880] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby rndc dumpdb could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + Corrected a bug which could cause a slave server with allow-update-forwarding set to become unresponsive if the master it is trying to reach is off-line or
BIND 9.6-ESV-R6rc1 is now available
Introduction BIND 9.6-ESV-R6rc1 is the first release candidate of BIND 9.6-ESV-R6. This document summarizes changes from BIND 9.6-ESV-R5 to BIND 9.6-ESV-R6rc1. Please see the CHANGES file in the source code release for a complete list of all changes. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes + BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] Feature Changes + Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] + --enable-developer, a new composite argument to the configure script, enables a set of build options normally disabled but frequently selected in test or development builds, specifically: enable_fixed_rrset, with_atf, enable_filter_, enable_rpz_nsip, enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and Darwin, also enable_exportlib) [RT #27103] Bug Fixes + Some query patterns could cause responses not to be returned in cyclic order though rrset-order cyclic was set. [RT #27170/27185] + named-compilezone now longer emits dump zone to file message when writing to stdout. [RT #27109] + Sets isc_socket_ipv6only() on the IPv6 control channels. This addresses IPv6 socket binding problems that can occur in some configurations when bindv6only=1 is set globally. [RT #22249] + named now reports a syntax error when a TXT record longer than 255 characters is configured. [RT #26956] + Addresses race conditions in the resolver code that can cause named to abort. [RT #26889] + Fixed a bug that could cause named to crash while loading a zone with invalid DNSKEY records. [RT #26913] + Prevents dig -6 +trace from terminating with an error when encountering a root nameserver without an record. RT #26906] + An unusual corner-case buffer handling issue in zone transfers is corrected. The symptom was that zones that contain record types that do not compress when converted to wire format could fail to transfer. [RT #26796] + Addresses a selection of minor resource leaks (that were identified via code checking tools but which have not been reported from any production environments). [RT #26624] + Fixed a corner case race condition in the validator that may cause an assert in a multi-threaded build of BIND. [RT #26478] + named now correctly validates DNSSEC positive wildcard responses from NSEC3 signed zones. [RT #26200] + The order in which we process the reactivation of a dead node in cache and the incrementing of its reference count created a small timing window during which an inconsistency could be detected and an assert occur in a multi-threaded environment. This should no longer occur. [RT #23219] + 'dig -y' would crash when passed an unknown TSIG algorithm. dig now handles unknown TSIG algorithms more gracefully. [RT #25522] + Servers that received negative responses from a forwarder were failing to cache the answers correctly, resulting in multiple queries for the same non-existent name being sent to the forwarders instead of answers being provided to clients from cache (until TTL expiry). [RT #25380] + named would log warnings that empty zones may fail to transfer to slaves due to serial number 0. These spurious errors have now been silenced. [RT #25079] + corrected memory leaks and out of order operations that could cause named to crash during a normal shutdown. [RT #25210] + Master servers that had previously been marked as unreachable because of failed zone transfer attempts will now be removed from the unreachable list (i.e. considered reachable again) if the slave receives a NOTIFY message from them. [RT #25960] + Corrects a problem validating root DS responses. [RT #25726] + Fixes a problem whereby rndc dumpdb could cause an assertion failure and abort by attempting to print an empty rdataset [RT #25452] + Improves scalability by allocating one zone
BIND 9.9.0rc1 is now available
Introduction BIND 9.9.0rc1 is the first release candidate for BIND 9.9. This document summarizes changes from BIND 9.8 to BIND 9.9. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes - BIND 9 nameservers performing recursive queries could cache an invalid record and subsequent queries for that record could crash the resolvers with an assertion failure. [RT #26590] [CVE-2011-4313] New Features - NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of no such domain. This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] - Improved scalability by using multiple threads to listen for and process queries. Previously named only listened for queries on one thread regardless of the number of overall threads used. [RT #22992] - Improves startup and reconfiguration time by allowing zones to load in multiple threads. [RT #25333] - Improves initial start-up and server reload time by increasing the default size of the hash table the configuration parser uses to keep track of loaded zones and allowing it to grow dynamically to better handle systems with large numbers of zones. [RT #26523] - Improves the startup time for an authoritative server with a large number of zones by making the zone task table of variable size rather than fixed size. This means that authoritative servers with many zones will be serving that zone data much sooner. [RT #24406] - The new inline-signing option, in combination with the auto-dnssec option that was introduced in BIND 9.7, allows named to sign zones completely transparently. Previously automatic zone signing only worked on master zones that were configured to be dynamic; now, it works on any master or slave zone. In a master zone with inline signing, the zone is loaded from disk as usual, and a second copy of the zone is created to hold the signed version. The original zone file is not touched; all comments remain intact. When you edit the zone file and reload, named detects the incremental changes that have been made to the raw version of the zone, and applies those changes to the signed version, adding signatures as needed. A slave zone with inline signing works similarly, except that instead of loading the zone from disk and then signing it, the slave transfers the zone from a master server and then signs it. This enables bump in the wire signing: a dedicated signing server acting as an intermediary between a hidden master server (which provides the raw zone data) and a set of publicly accessible slave servers (which only serve the signed data). [RT #26224/23657] - rndc flushtree name command removes the specified name and all names under it from the cache. [RT #19970] - rndc sync command dumps pending changes in a dynamic zone to disk without a freeze/thaw cycle. rndc sync -clean removes the journal file after syncing. rndc freeze no longer removes journal files. [RT #22473] - The new rndc signing command provides greater visibility and control of the automatic DNSSEC signing process. Options to this new command include -list zone which will show the current state of signing operations overall or per specified zone. [RT #23729] - The also-notify option now takes the same syntax as masters, thus it can use named master lists and TSIG keys. [RT #23508] - auto-dnssec zones can now have NSEC3 parameters set prior to signing. [RT #23684] - The dnssec-signzone -D option causes dnssec-signzone to write DNSSEC data to a separate output file. This allows you to put $INCLUDE example.com.signed into the zonefile for example.com, run dnssec-signzone -SD example.com, and the result is a fully signed zone which did *not* overwrite your original zone file. Running the same command again will incrementally re-sign the zone, replacing only those signatures that need updating, rather than signing the entire zone from scratch. [RT
Re: trigger point for new bug
On 11/16/11 1:22 PM, michoski wrote: Short time ago I grabbed the latest tarball from your download site, and generated internal packages. I could have sworn that was 9.8.1-P4 (our internal packages still have the P4, and Google finds some hits): Perhaps it was 9.8.0-P4? Many of our version names bear a very close resemblance to one another. PROD:1 mhoskins@adns1:~$ rpm -qa | grep bind bind98-utils-9.8.1-1.P4 bind98-libs-9.8.1-1.P4 bind98-chroot-9.8.1-1.P4 bind98-9.8.1-1.P4 ...which led to mass confusion on how/why P1 is newer than P4 -- or if I somehow entered a magic time warp. Were P4 packages posted for some window of time that were later removed? No. You can see all versions of ISC BIND 9 that we have released, going back to 9.0.0 in 2004, at ftp://ftp.isc.org/isc/bind9/ There has never (yet) been a 9.8.1-P4 released by ISC. However, the rpm names you are seeing are assigned by another entity, probably the maintainer of whatever repository you are using (e.g. RedHat.) Repository maintainers have been known to use version numbers similar, but not identical, to those assigned by ISC. No worries, I will move to P1 given today's date on the tarball. :-) That's our recommendation. Michael McNally ISC Support ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users