BIND 9.9.3b1 is now available
Introduction BIND 9.9.3b1 is the first beta release of BIND 9.9.3. This document summarizes changes from BIND 9.9.2 to BIND 9.9.3b1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Security Fixes Prevents named from aborting with a require assertion failure on servers with DNS64 enabled. These crashes might occur as a result of specific queries that are received. (CVE-2012-5688) [RT #30792 / #30996] Prevents a named assert (crash) when using RPZ to generate A records (but not records) and DNS64 to generate records from A records. [RT #32141] New Features Add support for the RFC 6742 ILNP record types (NID, LP, L32, and L64). [RT #31836] Feature Changes Updates the built-in root hints for D.ROOT-SERVERS.NET whose IPv4 address changed to 199.7.91.13 (as of 3rd January 2013). Note that recursive servers running with an older set of root hints will still operate successfully because there are 12 other root servers whose addresses are correct and who will respond during root priming with the new root nameserver RRset. [RT #32164] Adds RFC 6598 reverse zones to the built-in empty zones list: 64.100.IN-ADDR.ARPA ... 127.100.IN-ADDR.ARPA. [RT #31336] Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] named -V can now report a source ID string. (This is will be of most interest to developers and troubleshooters). The source ID for ISC's production versions of BIND is defined in the srcid file in the build tree and is normally set to the most recent git hash. [RT #31494] Bug Fixes dnssec-keygen and dnssec-setttime disallow setting the delete date to be sooner than the inactive date. [RT #31719] Update HSM PKCS#11 patches to openssl to add support for openssl versions 0.9.8x, 1.0.0j, and 1.0.1c. [RT #29749] ddns-confgen now accepts all the TSIG algorithms that it is documented as supporting when generating keys. [RT #31927] Missing 'managed-keys-directory' is now handled better. Prior to this change, when misconfigured, named could loop and consume 100% CPU. [RT #30625] Now only the programs that use the readline library will link with it (nslookup and nsupdate). [RT #29810] When using 'rndc addzone' of a zone with with 'inline-signing yes;' named will first load the unsigned version and then afterwards successfully create the signed version. (Prior to this fix, the addzone would fail). [RT #31960] dnssec-checkds now emits a clear message when records are not found. This change also fixes a minor reporting problem whereby dnssec-checkds incorrectly reported that no DS records had been found for a KSK, despite having found and listed one. In addition, errors in the man pages (referencing the wrong utility) have been remedied. [RT #31968] dnssec-dsfromkey now no longer puts legal whitespace in DS hashes in order to inter-operate better with some overly-strict registrars. [RT #31951] Addresses portability issues (encountered when testing on HPUX) and corrects rndc signing -nsec3param to accept the full range of possible values. [RT #31938] Named should no longer die on shutdown if running with 128 UDP dispatches per interface. [RT #31743] Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now accepted in slave zone definitions in named.conf when inline-signing is being used. [RT #31078] Addresses build problems encountered on NetBSD 6.0 (renames the 'bool' parameter to avoid a namespace clash). [RT #31515] When using the zone reload method of importing changes to named with in-line signing, changes to SOA record parameters (other than the serial number alone) in the un-signed zone will now trigger named to update the signed version of the zone. Prior to this fix, if SOA parameters were updated while the server was offline but without any changes also being made to other records
Re: BIND 9.9.3b1 is now available
On 25-Jan-13 17:32, Michael McNally wrote: BIND 9.9.3b1 is the first beta release of BIND 9.9.3. Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] (c) 2001-2013 Internet Systems Consortium 2 bits of feedback on the beta announcement: I have software that reads the stats channel. Please, if you have a new schema, put it on another URI so that software that wants the old schema gets it, and software that wants the new explicitly requests it. E.g. '/statistics/v3' Flag day changes are not good... I also have a patch that provides just the config data on another URI (/config) - which I wish you'd accept in some form - it's very useful for management software that doesn't want to parse all the stats (which in perl takes forever), but does want the list of zones served. I sent it to you folks quite some time ago (and could resend). Since you're obviously in the code, would you re-consider this? It's pretty straightforward, it simply selects a subset of the data in the (then-) existing flow. Thanks on both counts. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.3b1 is now available
-Original Message- From: Timothe Litt l...@acm.org Date: Friday, January 25, 2013 6:13 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: BIND 9.9.3b1 is now available On 25-Jan-13 17:32, Michael McNally wrote: BIND 9.9.3b1 is the first beta release of BIND 9.9.3. Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] (c) 2001-2013 Internet Systems Consortium 2 bits of feedback on the beta announcement: I have software that reads the stats channel. Me too. Took awhile to get right, I'd hate to see it break. :-( Please, if you have a new schema, put it on another URI so that software that wants the old schema gets it, and software that wants the new explicitly requests it. E.g. '/statistics/v3' Some sort of API-like deprecation would at least be cool... But am I reading right? If I don't build with --enable-newstats, all my monitoring and trending scripts will continue to chug happily along with the old view? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.3b1 is now available
Maybe it will chug along for a while if you don't configure with newstats. But suppose someday you want to update to the newer, better software. Are you going to run a separate server to test against? If you manage more than one server, when the monitoring software changes, are all the servers going to go down and reboot with the new config synchronously? What if you have lots of them (e.g. 10s or 100s)? In different admin domains? As you say, this is an API Flag days are never fun, and this is avoidable. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 25-Jan-13 18:37, Mike Hoskins (michoski) wrote: -Original Message- From: Timothe Litt l...@acm.org Date: Friday, January 25, 2013 6:13 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: BIND 9.9.3b1 is now available On 25-Jan-13 17:32, Michael McNally wrote: BIND 9.9.3b1 is the first beta release of BIND 9.9.3. Makes available a new XML schema (version 3.0) for the statistics channel that adds query type statistics at the zone level, flattens the XML tree and uses compressed format to optimize parsing. It also includes new XSL that permits charting via the Google Charts API on browsers that support javascript in XSL. To enable, build BIND with configure --enable-newstats. [RT #30023] (c) 2001-2013 Internet Systems Consortium 2 bits of feedback on the beta announcement: I have software that reads the stats channel. Me too. Took awhile to get right, I'd hate to see it break. :-( Please, if you have a new schema, put it on another URI so that software that wants the old schema gets it, and software that wants the new explicitly requests it. E.g. '/statistics/v3' Some sort of API-like deprecation would at least be cool... But am I reading right? If I don't build with --enable-newstats, all my monitoring and trending scripts will continue to chug happily along with the old view? smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.3b1 is now available
I have software that reads the stats channel. Me too. Took awhile to get right, I'd hate to see it break. :-( The plan is, it *will* break in 9.10, but not in 9.9 (unless you turn the new stats on with the configure option). I'd love it if you'd try it, actually, find out how hard it is to modify your tools to use the new schema, and send feedback. It may not be too painful; the new schema is simpler and flatter and should be easier to parse. And the XSL with Google Charts support is a major improvement over what went before. Please, if you have a new schema, put it on another URI so that software that wants the old schema gets it, and software that wants the new explicitly requests it. E.g. '/statistics/v3' Some sort of API-like deprecation would at least be cool... The schema includes a version number -- 2.2 for the old stats, 3.0 for the new ones. We increase the second digit when making changes that are backward compatible (i.e. adding new fields, not changing or removing existing ones), and the first digit when making changes that break compatibility. I'd been assuming the version field would be enough, but we can change the URI if needed. But am I reading right? If I don't build with --enable-newstats, all my monitoring and trending scripts will continue to chug happily along with the old view? That's correct. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users