diff options
| author | Doug Barton <dougb@FreeBSD.org> | 2012-04-12 01:53:33 +0000 |
|---|---|---|
| committer | Doug Barton <dougb@FreeBSD.org> | 2012-04-12 01:53:33 +0000 |
| commit | 3ad4cbcf209fbd503ddaa0aa51895e0bdb6aabe1 (patch) | |
| tree | c0e039e74256b5df7614b487a257ee23f628e135 /contrib | |
| parent | b517176ad9c080a4370d93b255cc3fa2d6b0504b (diff) | |
| parent | ef021ab32c96f04b817db934ad74cc24cf4285ef (diff) | |
| download | src-3ad4cbcf209fbd503ddaa0aa51895e0bdb6aabe1.tar.gz src-3ad4cbcf209fbd503ddaa0aa51895e0bdb6aabe1.zip | |
The BIND 9.8.2 tarball was re-rolled to remove 9.8.1 release notes.
This change was noticed by ISC at:
https://lists.isc.org/pipermail/bind-users/2012-April/087345.html
and verified by me both by comparing the contents of the old and new
distfiles and by verifying the PGP signature on the new distfile.
Notes
Notes:
svn path=/head/; revision=234165
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/bind9/RELEASE-NOTES-BIND-9.8.1.html | 368 | ||||
| -rw-r--r-- | contrib/bind9/RELEASE-NOTES-BIND-9.8.1.pdf | bin | 62760 -> 0 bytes | |||
| -rw-r--r-- | contrib/bind9/RELEASE-NOTES-BIND-9.8.1.txt | 268 | ||||
| -rw-r--r-- | contrib/bind9/release-notes.css | 60 |
4 files changed, 0 insertions, 696 deletions
diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.html b/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.html deleted file mode 100644 index c4deae43a9cf..000000000000 --- a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.html +++ /dev/null @@ -1,368 +0,0 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title></title><link rel="stylesheet" href="release-notes.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="titlepage"><hr></div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359008"></a>Introduction</h2></div></div></div> - - <p> - BIND 9.8.1 is the current production release of BIND 9.8. - </p> - <p> - This document summarizes changes from BIND 9.8.0 to BIND 9.8.1. - Please see the CHANGES file in the source code release for a - complete list of all changes. - </p> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359050"></a>Download</h2></div></div></div> - - <p> - The latest versions of BIND 9 software can always be found - on our web site at - <a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>. - There you will find additional information about each - release, source code, and some pre-compiled versions for certain operating systems. - </p> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2545549"></a>Support</h2></div></div></div> - - <p>Product support information is available on - <a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a> - for paid support options. Free support is provided by our user - community via a mailing list. Information on all public email - lists is available at - <a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>. - </p> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358108"></a>New Features</h2></div></div></div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358149"></a>9.8.1</h3></div></div></div> - - <div class="itemizedlist"><ul type="disc"><li> -Added a new include file with function typedefs -for the DLZ "dlopen" driver. [RT #23629] -</li><li> -Added a tool able to generate malformed packets to allow testing -of how named handles them. -[RT #24096] -</li><li> -The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work. More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727] -</li></ul></div> - </div> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358206"></a>Security Fixes</h2></div></div></div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358226"></a>9.8.1</h3></div></div></div> - - <div class="itemizedlist"><ul type="disc"><li> -If named is configured with a response policy zone (RPZ) and a query -of type RRSIG is received for a name configured for RRset replacement -in that RPZ, it will trigger an INSIST and crash the server. -RRSIG. [RT #24280] -</li><li> -named, set up to be a caching resolver, is vulnerable to a -user querying a domain with very large resource record sets (RRSets) -when trying to negatively cache the response. Due to an off-by-one -error, caching the response could cause named to crash. [RT #24650] -[CVE-2011-1910] -</li><li> -Using Response Policy Zone (RPZ) to query a wildcard CNAME label with -QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type -independant. -[RT #24715] -</li><li> -Using Response Policy Zone (RPZ) with DNAME records and querying the -subdomain of that label can cause named to crash. Now logs that DNAME -is not supported. -[RT #24766] -</li><li> -Change #2912 populated the message section in replies to UPDATE requests, -which some Windows clients wanted. This exposed a latent bug that allowed -the response message to crash named. With this fix, change 2912 has been -reduced to copy only the zone section to the reply. A more complete fix -for the latent bug will be released later. -[RT #24777] -</li></ul></div> - </div> - </div> - - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358283"></a>Feature Changes</h2></div></div></div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358291"></a>9.8.1</h3></div></div></div> - - <div class="itemizedlist"><ul type="disc"><li> -Merged in the NetBSD ATF test framework (currently -version 0.12) for development of future unit tests. -Use configure --with-atf to build ATF internally -or configure --with-atf=prefix to use an external -copy. [RT #23209] -</li><li> -Added more verbose error reporting from DLZ LDAP. [RT #23402] -</li><li> -The DLZ "dlopen" driver is now built by default, -no longer requiring a configure option. To -disable it, use "configure --without-dlopen". -(Note: driver not supported on win32.) [RT #23467] -</li><li> -Replaced compile time constant with STDTIME_ON_32BITS. -[RT #23587] -</li><li> -Make --with-gssapi default for ./configure. [RT #23738] -</li><li> -Improved the startup time for an authoritative server with a large -number of zones by making the zone task table of variable size -rather than fixed size. This means that authoritative servers with -lots of zones will be serving that zone data much sooner. [RT #24406] -</li><li> -Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990] -</li></ul></div> - </div> - </div> - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358460"></a>Bug Fixes</h2></div></div></div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358468"></a>9.8.1</h3></div></div></div> - - <div class="itemizedlist"><ul type="disc"><li> -During RFC5011 processing some journal write errors were not detected. -This could lead to managed-keys changes being committed but not -recorded in the journal files, causing potential inconsistencies -during later processing. [RT #20256] -</li><li> -A potential NULL pointer deference in the DNS64 code could cause -named to terminate unexpectedly. [RT #20256] -</li><li> -A state variable relating to DNSSEC could fail to be set during -some infrequently-executed code paths, allowing it to be used whilst -in an unitialized state during cache updates, with unpredictable results. -[RT #20256] -</li><li> -A potential NULL pointer deference in DNSSEC signing code could -cause named to terminate unexpectedly [RT #20256] -</li><li> -Several cosmetic code changes were made to silence warnings -generated by a static code analysis tool. [RT #20256] -</li><li> -When using the -x (sign with only KSK) option on dnssec-signzone, -it could incorrectly count the number of ZSKs in the zone. (And in 9.9.0, -some code cleanup and improved warning messages). [RT #20852] -</li><li> -When using _builtin in named.conf, named.conf changes were not found -when reloading the config file. Now checks _builtin zone arguments -to see if the zone is re-usable or not. [RT #21914] -</li><li> -Running dnssec-settime -f on an old-style key will -now force the key to be rewritten to the new key format even if no -other change has been specified, using "-P now -A now" -as default values. [RT #22474] -</li><li> -After an external code review, a code cleanup was done. [RT #22521] -</li><li> -Cause named to terminate at startup or rndc reconfig -reload to fail, if a log file specified in the -conf file isn't a plain file. (RT #22771] -</li><li> -named now forces the ADB cache time for glue related data to zero -instead of relying on TTL. This corrects problematic behavior in cases -where a server was authoritative for the A record of a nameserver for a -delegated zone and was queried to recursively resolve records within -that zone. [RT #22842] -</li><li> -When a validating resolver got a NODATA response for DNSKEY, it was -not caching the NODATA. Fixed and test added. [RT #22908] -</li><li> -Fixed a bug in which zone keys that were published -and but not immediately activated, automatic signing could fail to trigger. -[RT #22911] -</li><li> -Fixed precedence order bug with NS and DNAME records if both are present. -(Also fixed timing of autosign test in 9.7+) [RT #23035] -</li><li> -When a DNSSEC signed dynamic zone's signatures need to be refreshed, -named would first delete the old signatures in the zone. If a private -key of the same algorithm isn't available to named, the signing would -fail but the old signatures would already be deleted. named now checks -if it can access the private key before deleting the old signatures and -leaves the old signature if no private key is found. [RT #23136] -</li><li> -When using "auto-dnssec maintain" and rolling to a new key, a -private-type record (only used internally by named) could be created -and not marked as complete. [RT #23253] -</li><li> -Fixed last autosign test report. [RT #23256] -</li><li> -named didn't save gid at startup and later assumed gid 0. -named now saves/restores the gid when creating creating -named.pid at startup. [RT #23290] -</li><li> -If the server has an IPv6 address but does not have IPv6 connectivity -to the internet, dig +trace could fail attempting to use IPv6 -addresses. [RT #23297] -</li><li> -If named is configured with managed zones, the managed key maint timer -can exercise a race condition that can crash the server. -[RT #23303] -</li><li> -Changing TTL did not cause dnssec-signzone to generate new signatures. -[RT #23330] -</li><li> -Have the validating resolver use RRSIG original TTL to compute -validated RRset and RRSIG TTL. [RT #23332] -</li><li> -In "make test" bin/tests/resolver, hold the socket manager lock -while freeing the socket. -[RT #23333] -</li><li> -If named encountered a CNAME instead of a DS record when walking -the chain of trust down from the trust anchor, it incorrectly stopped -validating. [RT #23338] -</li><li> -dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in -HEADERS variable. [RT #23342] -</li><li> -RRSIG records could have time stamps too far in the future. -[RT #23356] -</li><li> -named stores cached data in an in-memory database and keeps track of -how recently the data is used with a heap. The heap is stored within the -cache's memory space. Under a sustained high query load and with a small -cache size, this could lead to the heap exhausting the cache space. This -would result in cache misses and SERVFAILs, with named never releasing -the cache memory the heap used up and never recovering. - -This fix removes the heap into its own memory space, preventing the heap -from exhausting the cache space and allowing named to recover gracefully -when the high query load abates. [RT #23371] -</li><li> -Fully separated key management on a per view basis. [RT #23419] -</li><li> -If running on a powerpc CPU and with atomic operations enabled, -named could lock up. Added sync instructions to the end of atomic -operations. [RT #23469] -</li><li> -If OpenSSL was built without engine support, named would have -compile errors and fail to build. -[RT #23473] -</li><li> -If ./configure finds GOST but not elliptic curve, named fails to -build. Added elliptic curve support check in GOST OpenSSL engine -detection. [RT #23485] -</li><li> -"rndc secroots" would abort on the first error -and so could miss remaining views. [RT #23488] -</li><li> -Handle isc_event_allocate failures in t_tasks test. -[RT #23572] -</li><li> -ixfr-from-differences {master|slave}; -failed to select the master/slave zones, resulting in on diff/journal -file being created. -[RT #23580] -</li><li> -If a DNAME substitution failed, named returned NOERROR. The correct -response should be YXDOMAIN. -[RT #23591] -</li><li> -dns_dnssec_findzonekeys{2} used a inconsistant -timestamp when determining which keys are active. This could result in -some RRsets not being signed/re-signed. -[RT #23642] -</li><li> -Remove bin/tests/system/logfileconfig/ns1/named.conf and -add setup.sh in order to resolve changing named.conf issue. [RT #23687] -</li><li> -NOTIFY messages were not being sent when generating -a NSEC3 chain incrementally. [RT #23702] -</li><li> -DDNS updates using SIG(0) with update-policy match -type "external" could cause a crash. Also fixed nsupdate core -dump on shutdown when using a SIG(0) key, due to the key -not being freed. [RT #23735] -</li><li> -Zones using automatic key maintenance could fail to check the key -repository for updates. named now checks once per hour and the -automatic check bug has been fixed. [RT #23744] -</li><li> -named now uses the correct strtok/strtok_r/strtok_s based on OS. -[RT #23747] -</li><li> -Signatures for records at the zone apex could go -stale due to an incorrect timer setting. [RT #23769] -</li><li> -The autosign tests attempted to open ports within reserved ranges. Test -now avoids those ports. -[RT #23957] -</li><li> -GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to -be cached. Now sets KRB5_KTNAME before calling log_cred() in -dst_gssapi_acceptctx(). [RT #24004] -</li><li> -named, acting as authoritative server for DLZ zones, was not correctly -setting the authoritative (AA) bit. -[RT #24146] -</li><li> -Clean up some cross-compiling issues and added two undocumented -configure options, --with-gost and --with-rlimtype, to allow over-riding -default settings (gost=no and rlimtype="long int") when cross-compiling. -[RT #24367] -</li><li> -When trying sign with NSEC3, if dnssec-signzone couldn't find the -KSK, it would give an incorrect error "NSEC3 iterations too big for -weakest DNSKEY strength" rather than the correct "failed to find -keys at the zone apex: not found" [RT #24369] -</li><li> -Configuring 'dnssec-validation auto' in a view instead of in the -options statement could trigger an assertion failure in named-checkconf. -[RT #24382] -</li><li> -Improved consistency checks for dnssec-enable and -dnssec-validation, added test cases to the -checkconf system test. [RT #24398] -</li><li> -If named is configured to be both authoritative and recursive and receives -a recursive query for a CNAME in a zone that it is authoritative for, if that -CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a -complete CNAME chain. [RT #24455] -</li><li> -nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604] -</li><li> -Named could fail to validate zones list in a DLV that validated insecure -without using DLV and had DS records in the parent zone. [RT #24631] -</li><li> -dnssec-signzone now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030] -</li><li> -If allow-new-zones was set to yes and name-based ACLs were used, named could crash when "rndc reconfig" was issued. [RT #22739] -</li><li> -RT #23136 fixed a problem where named would delete old signatures even -when the private key wasn't available to re-sign the zone, resulting in -a zone with missing signatures. This fix (CHANGES 3114) did not -completely fix all issues. [RT #24577] -</li><li> -A bug in FreeBSD kernels causes IPv6 UDP responses greater than -1280 bytes to not fragment as they should. Until there is a kernel -fix, named will work around this by setting IPV6_USE_MIN_MTU on a -per packet basis. [RT #24950] -</li></ul></div> - </div> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359134"></a>Known issues in this release</h2></div></div></div> - - <div class="itemizedlist"><ul type="disc"><li> - <p> - None. - </p> - </li></ul></div> - </div> - - <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359152"></a>Thank You</h2></div></div></div> - - <p> - Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to make - quality open source software, please visit our donations page at - <a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>. - </p> - </div> -</div></body></html> diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.pdf b/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.pdf Binary files differdeleted file mode 100644 index b2b5de5df5bd..000000000000 --- a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.pdf +++ /dev/null diff --git a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.txt b/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.txt deleted file mode 100644 index 3fdb9b0ac6e7..000000000000 --- a/contrib/bind9/RELEASE-NOTES-BIND-9.8.1.txt +++ /dev/null @@ -1,268 +0,0 @@ - __________________________________________________________________ - -Introduction - - BIND 9.8.1 is the current production release of BIND 9.8. - - This document summarizes changes from BIND 9.8.0 to BIND 9.8.1. Please - see the CHANGES file in the source code release for a complete list of - all changes. - -Download - - The latest versions of BIND 9 software can always be found on our web - site at http://www.isc.org/downloads/all. There you will find - additional information about each release, source code, and some - pre-compiled versions for certain operating systems. - -Support - - Product support information is available on - http://www.isc.org/services/support for paid support options. Free - support is provided by our user community via a mailing list. - Information on all public email lists is available at - https://lists.isc.org/mailman/listinfo. - -New Features - -9.8.1 - - * Added a new include file with function typedefs for the DLZ - "dlopen" driver. [RT #23629] - * Added a tool able to generate malformed packets to allow testing of - how named handles them. [RT #24096] - * The root key is now provided in the file bind.keys allowing DNSSEC - validation to be switched on at start up by adding - "dnssec-validation auto;" to named.conf. If the root key provided - has expired, named will log the expiration and validation will not - work. More information and the most current copy of bind.keys can - be found at http://www.isc.org/bind-keys. *Please note this feature - was actually added in 9.8.0 but was not included in the 9.8.0 - release notes. [RT #21727] - -Security Fixes - -9.8.1 - - * If named is configured with a response policy zone (RPZ) and a - query of type RRSIG is received for a name configured for RRset - replacement in that RPZ, it will trigger an INSIST and crash the - server. RRSIG. [RT #24280] - * named, set up to be a caching resolver, is vulnerable to a user - querying a domain with very large resource record sets (RRSets) - when trying to negatively cache the response. Due to an off-by-one - error, caching the response could cause named to crash. [RT #24650] - [CVE-2011-1910] - * Using Response Policy Zone (RPZ) to query a wildcard CNAME label - with QUERY type SIG/RRSIG, it can cause named to crash. Fix is - query type independant. [RT #24715] - * Using Response Policy Zone (RPZ) with DNAME records and querying - the subdomain of that label can cause named to crash. Now logs that - DNAME is not supported. [RT #24766] - * Change #2912 populated the message section in replies to UPDATE - requests, which some Windows clients wanted. This exposed a latent - bug that allowed the response message to crash named. With this - fix, change 2912 has been reduced to copy only the zone section to - the reply. A more complete fix for the latent bug will be released - later. [RT #24777] - -Feature Changes - -9.8.1 - - * Merged in the NetBSD ATF test framework (currently version 0.12) - for development of future unit tests. Use configure --with-atf to - build ATF internally or configure --with-atf=prefix to use an - external copy. [RT #23209] - * Added more verbose error reporting from DLZ LDAP. [RT #23402] - * The DLZ "dlopen" driver is now built by default, no longer - requiring a configure option. To disable it, use "configure - --without-dlopen". (Note: driver not supported on win32.) [RT - #23467] - * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587] - * Make --with-gssapi default for ./configure. [RT #23738] - * Improved the startup time for an authoritative server with a large - number of zones by making the zone task table of variable size - rather than fixed size. This means that authoritative servers with - lots of zones will be serving that zone data much sooner. [RT - #24406] - * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in - list of empty zones. [RT #24990] - -Bug Fixes - -9.8.1 - - * During RFC5011 processing some journal write errors were not - detected. This could lead to managed-keys changes being committed - but not recorded in the journal files, causing potential - inconsistencies during later processing. [RT #20256] - * A potential NULL pointer deference in the DNS64 code could cause - named to terminate unexpectedly. [RT #20256] - * A state variable relating to DNSSEC could fail to be set during - some infrequently-executed code paths, allowing it to be used - whilst in an unitialized state during cache updates, with - unpredictable results. [RT #20256] - * A potential NULL pointer deference in DNSSEC signing code could - cause named to terminate unexpectedly [RT #20256] - * Several cosmetic code changes were made to silence warnings - generated by a static code analysis tool. [RT #20256] - * When using the -x (sign with only KSK) option on dnssec-signzone, - it could incorrectly count the number of ZSKs in the zone. (And in - 9.9.0, some code cleanup and improved warning messages). [RT - #20852] - * When using _builtin in named.conf, named.conf changes were not - found when reloading the config file. Now checks _builtin zone - arguments to see if the zone is re-usable or not. [RT #21914] - * Running dnssec-settime -f on an old-style key will now force the - key to be rewritten to the new key format even if no other change - has been specified, using "-P now -A now" as default values. [RT - #22474] - * After an external code review, a code cleanup was done. [RT #22521] - * Cause named to terminate at startup or rndc reconfig reload to - fail, if a log file specified in the conf file isn't a plain file. - (RT #22771] - * named now forces the ADB cache time for glue related data to zero - instead of relying on TTL. This corrects problematic behavior in - cases where a server was authoritative for the A record of a - nameserver for a delegated zone and was queried to recursively - resolve records within that zone. [RT #22842] - * When a validating resolver got a NODATA response for DNSKEY, it was - not caching the NODATA. Fixed and test added. [RT #22908] - * Fixed a bug in which zone keys that were published and but not - immediately activated, automatic signing could fail to trigger. [RT - #22911] - * Fixed precedence order bug with NS and DNAME records if both are - present. (Also fixed timing of autosign test in 9.7+) [RT #23035] - * When a DNSSEC signed dynamic zone's signatures need to be - refreshed, named would first delete the old signatures in the zone. - If a private key of the same algorithm isn't available to named, - the signing would fail but the old signatures would already be - deleted. named now checks if it can access the private key before - deleting the old signatures and leaves the old signature if no - private key is found. [RT #23136] - * When using "auto-dnssec maintain" and rolling to a new key, a - private-type record (only used internally by named) could be - created and not marked as complete. [RT #23253] - * Fixed last autosign test report. [RT #23256] - * named didn't save gid at startup and later assumed gid 0. named now - saves/restores the gid when creating creating named.pid at startup. - [RT #23290] - * If the server has an IPv6 address but does not have IPv6 - connectivity to the internet, dig +trace could fail attempting to - use IPv6 addresses. [RT #23297] - * If named is configured with managed zones, the managed key maint - timer can exercise a race condition that can crash the server. [RT - #23303] - * Changing TTL did not cause dnssec-signzone to generate new - signatures. [RT #23330] - * Have the validating resolver use RRSIG original TTL to compute - validated RRset and RRSIG TTL. [RT #23332] - * In "make test" bin/tests/resolver, hold the socket manager lock - while freeing the socket. [RT #23333] - * If named encountered a CNAME instead of a DS record when walking - the chain of trust down from the trust anchor, it incorrectly - stopped validating. [RT #23338] - * dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in HEADERS - variable. [RT #23342] - * RRSIG records could have time stamps too far in the future. [RT - #23356] - * named stores cached data in an in-memory database and keeps track - of how recently the data is used with a heap. The heap is stored - within the cache's memory space. Under a sustained high query load - and with a small cache size, this could lead to the heap exhausting - the cache space. This would result in cache misses and SERVFAILs, - with named never releasing the cache memory the heap used up and - never recovering. This fix removes the heap into its own memory - space, preventing the heap from exhausting the cache space and - allowing named to recover gracefully when the high query load - abates. [RT #23371] - * Fully separated key management on a per view basis. [RT #23419] - * If running on a powerpc CPU and with atomic operations enabled, - named could lock up. Added sync instructions to the end of atomic - operations. [RT #23469] - * If OpenSSL was built without engine support, named would have - compile errors and fail to build. [RT #23473] - * If ./configure finds GOST but not elliptic curve, named fails to - build. Added elliptic curve support check in GOST OpenSSL engine - detection. [RT #23485] - * "rndc secroots" would abort on the first error and so could miss - remaining views. [RT #23488] - * Handle isc_event_allocate failures in t_tasks test. [RT #23572] - * ixfr-from-differences {master|slave}; failed to select the - master/slave zones, resulting in on diff/journal file being - created. [RT #23580] - * If a DNAME substitution failed, named returned NOERROR. The correct - response should be YXDOMAIN. [RT #23591] - * dns_dnssec_findzonekeys{2} used a inconsistant timestamp when - determining which keys are active. This could result in some RRsets - not being signed/re-signed. [RT #23642] - * Remove bin/tests/system/logfileconfig/ns1/named.conf and add - setup.sh in order to resolve changing named.conf issue. [RT #23687] - * NOTIFY messages were not being sent when generating a NSEC3 chain - incrementally. [RT #23702] - * DDNS updates using SIG(0) with update-policy match type "external" - could cause a crash. Also fixed nsupdate core dump on shutdown when - using a SIG(0) key, due to the key not being freed. [RT #23735] - * Zones using automatic key maintenance could fail to check the key - repository for updates. named now checks once per hour and the - automatic check bug has been fixed. [RT #23744] - * named now uses the correct strtok/strtok_r/strtok_s based on OS. - [RT #23747] - * Signatures for records at the zone apex could go stale due to an - incorrect timer setting. [RT #23769] - * The autosign tests attempted to open ports within reserved ranges. - Test now avoids those ports. [RT #23957] - * GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to - be cached. Now sets KRB5_KTNAME before calling log_cred() in - dst_gssapi_acceptctx(). [RT #24004] - * named, acting as authoritative server for DLZ zones, was not - correctly setting the authoritative (AA) bit. [RT #24146] - * Clean up some cross-compiling issues and added two undocumented - configure options, --with-gost and --with-rlimtype, to allow - over-riding default settings (gost=no and rlimtype="long int") when - cross-compiling. [RT #24367] - * When trying sign with NSEC3, if dnssec-signzone couldn't find the - KSK, it would give an incorrect error "NSEC3 iterations too big for - weakest DNSKEY strength" rather than the correct "failed to find - keys at the zone apex: not found" [RT #24369] - * Configuring 'dnssec-validation auto' in a view instead of in the - options statement could trigger an assertion failure in - named-checkconf. [RT #24382] - * Improved consistency checks for dnssec-enable and - dnssec-validation, added test cases to the checkconf system test. - [RT #24398] - * If named is configured to be both authoritative and recursive and - receives a recursive query for a CNAME in a zone that it is - authoritative for, if that CNAME also points to a zone the server - is authoritative for, the recursive part of name will not follow - the CNAME change and the response will not be a complete CNAME - chain. [RT #24455] - * nsupdate could dump core on shutdown when using SIG(0) keys. [RT - #24604] - * Named could fail to validate zones list in a DLV that validated - insecure without using DLV and had DS records in the parent zone. - [RT #24631] - * dnssec-signzone now records timestamps just before and just after - signing, improving the accuracy of signing statistics. [RT #16030] - * If allow-new-zones was set to yes and name-based ACLs were used, - named could crash when "rndc reconfig" was issued. [RT #22739] - * RT #23136 fixed a problem where named would delete old signatures - even when the private key wasn't available to re-sign the zone, - resulting in a zone with missing signatures. This fix (CHANGES - 3114) did not completely fix all issues. [RT #24577] - * A bug in FreeBSD kernels causes IPv6 UDP responses greater than - 1280 bytes to not fragment as they should. Until there is a kernel - fix, named will work around this by setting IPV6_USE_MIN_MTU on a - per packet basis. [RT #24950] - -Known issues in this release - - * None. - -Thank You - - Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/supportisc. diff --git a/contrib/bind9/release-notes.css b/contrib/bind9/release-notes.css deleted file mode 100644 index 822214c1d610..000000000000 --- a/contrib/bind9/release-notes.css +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) 2010, 2011 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id$ */ - -body { - background-color: #ffffff; - color: #333333; - font-family: "Helvetica Neue", "ArialMT", "Verdana", "Arial", "Helvetica", sans-serif; - font-size: 14px; - line-height: 18px; - margin: 2em auto; - width: 700px; -} - -.command { - font-family: "Courier New", "Courier", monospace; - font-weight: normal; -} - -.note { - background-color: #ddeedd; - border: 1px solid #aaccaa; - margin: 1em 0 1em 0; - padding: 0.5em 1em 0.5em 1em; - -moz-border-radius: 10px; - -webkit-border-radius: 10px; -} - -.screen { - background-color: #ffffee; - border: 1px solid #ddddaa; - padding: 0.25em 1em 0.25em 1em; - margin: 1em 0 1em 0; - -moz-border-radius: 10px; - -webkit-border-radius: 10px; -} - -.section.title { - font-size: 150%; - font-weight: bold; -} - -.section.section.title { - font-size: 130%; - font-weight: bold; -} |