diff options
Diffstat (limited to 'doc/arm/notes.xml')
| -rw-r--r-- | doc/arm/notes.xml | 292 |
1 files changed, 292 insertions, 0 deletions
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml new file mode 100644 index 000000000000..6960bda51b1d --- /dev/null +++ b/doc/arm/notes.xml @@ -0,0 +1,292 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + - Copyright (C) 2014, 2015 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<sect1 xmlns:xi="http://www.w3.org/2001/XInclude"> + <xi:include href="noteversion.xml"/> + <sect2 id="relnotes_intro"> + <title>Introduction</title> + <para> + This document summarizes changes since the last production release + of BIND on the corresponding major release branch. + </para> + </sect2> + <sect2 id="relnotes_download"> + <title>Download</title> + <para> + The latest versions of BIND 9 software can always be found at + <ulink url="http://www.isc.org/downloads/" + >http://www.isc.org/downloads/</ulink>. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. + </para> + </sect2> + <sect2 id="relnotes_security"> + <title>Security Fixes</title> + <itemizedlist> + <listitem> + <para> + On servers configured to perform DNSSEC validation using + managed trust anchors (i.e., keys configured explicitly + via <command>managed-keys</command>, or implicitly + via <command>dnssec-validation auto;</command> or + <command>dnssec-lookaside auto;</command>), revoking + a trust anchor and sending a new untrusted replacement + could cause <command>named</command> to crash with an + assertion failure. This could occur in the event of a + botched key rollover, or potentially as a result of a + deliberate attack if the attacker was in position to + monitor the victim's DNS traffic. + </para> + <para> + This flaw was discovered by Jan-Piet Mens, and is + disclosed in CVE-2015-1349. [RT #38344] + </para> + </listitem> + <listitem> + <para> + A flaw in delegation handling could be exploited to put + <command>named</command> into an infinite loop, in which + each lookup of a name server triggered additional lookups + of more name servers. This has been addressed by placing + limits on the number of levels of recursion + <command>named</command> will allow (default 7), and + on the number of queries that it will send before + terminating a recursive query (default 50). + </para> + <para> + The recursion depth limit is configured via the + <option>max-recursion-depth</option> option, and the query limit + via the <option>max-recursion-queries</option> option. + </para> + <para> + The flaw was discovered by Florian Maury of ANSSI, and is + disclosed in CVE-2014-8500. [RT #37580] + </para> + </listitem> + </itemizedlist> + </sect2> + <sect2 id="relnotes_features"> + <title>New Features</title> + <itemizedlist> + <listitem> + <para>None</para> + </listitem> + </itemizedlist> + </sect2> + <sect2 id="relnotes_changes"> + <title>Feature Changes</title> + <itemizedlist> + <listitem> + <para> + NXDOMAIN responses to queries of type DS are now cached separately + from those for other types. This helps when using "grafted" zones + of type forward, for which the parent zone does not contain a + delegation, such as local top-level domains. Previously a query + of type DS for such a zone could cause the zone apex to be cached + as NXDOMAIN, blocking all subsequent queries. (Note: This + change is only helpful when DNSSEC validation is not enabled. + "Grafted" zones without a delegation in the parent are not a + recommended configuration.) + </para> + </listitem> + <listitem> + <para> + NOTIFY messages that are sent because a zone has been updated + are now given priority above NOTIFY messages that were scheduled + when the server started up. This should mitigate delays in zone + propagation when servers are restarted frequently. + </para> + </listitem> + <listitem> + <para> + Errors reported when running <command>rndc addzone</command> + (e.g., when a zone file cannot be loaded) have been clarified + to make it easier to diagnose problems. + </para> + </listitem> + <listitem> + <para> + Added support for OPENPGPKEY type. + </para> + </listitem> + <listitem> + <para> + When encountering an authoritative name server whose name is + an alias pointing to another name, the resolver treats + this as an error and skips to the next server. Previously + this happened silently; now the error will be logged to + the newly-created "cname" log category. + </para> + </listitem> + <listitem> + <para> + If named is not configured to validate the answer then + allow fallback to plain DNS on timeout even when we know + the server supports EDNS. This will allow the server to + potentially resolve signed queries when TCP is being + blocked. + </para> + </listitem> + </itemizedlist> + </sect2> + <sect2 id="relnotes_bugs"> + <title>Bug Fixes</title> + <itemizedlist> + <listitem> + <para> + <command>dig</command>, <command>host</command> and + <command>nslookup</command> aborted when encountering + a name which, after appending search list elements, + exceeded 255 bytes. Such names are now skipped, but + processing of other names will continue. [RT #36892] + </para> + </listitem> + <listitem> + <para> + The error message generated when + <command>named-checkzone</command> or + <command>named-checkconf -z</command> encounters a + <option>$TTL</option> directive without a value has + been clarified. [RT #37138] + </para> + </listitem> + <listitem> + <para> + Semicolon characters (;) included in TXT records were + incorrectly escaped with a backslash when the record was + displayed as text. This is actually only necessary when there + are no quotation marks. [RT #37159] + </para> + </listitem> + <listitem> + <para> + When files opened for writing by <command>named</command>, + such as zone journal files, were referenced more than once + in <filename>named.conf</filename>, it could lead to file + corruption as multiple threads wrote to the same file. This + is now detected when loading <filename>named.conf</filename> + and reported as an error. [RT #37172] + </para> + </listitem> + <listitem> + <para> + <command>dnssec-keygen -S</command> failed to generate successor + keys for some algorithm types (including ECDSA and GOST) due to + a difference in the content of private key files. This has been + corrected. [RT #37183] + </para> + </listitem> + <listitem> + <para> + UPDATE messages that arrived too soon after + an <command>rndc thaw</command> could be lost. [RT #37233] + </para> + </listitem> + <listitem> + <para> + Forwarding of UPDATE messages did not work when they were + signed with SIG(0); they resulted in a BADSIG response code. + [RT #37216] + </para> + </listitem> + <listitem> + <para> + When checking for updates to trust anchors listed in + <option>managed-keys</option>, <command>named</command> + now revalidates keys based on the current set of + active trust anchors, without relying on any cached + record of previous validation. [RT #37506] + </para> + </listitem> + <listitem> + <para> + When NXDOMAIN redirection is in use, queries for a name + that is present in the redirection zone but a type that + is not present will now return NOERROR instead of NXDOMAIN. + </para> + </listitem> + <listitem> + <para> + When a zone contained a delegation to an IPv6 name server + but not an IPv4 name server, it was possible for a memory + reference to be left un-freed. This caused an assertion + failure on server shutdown, but was otherwise harmless. + [RT #37796] + </para> + </listitem> + <listitem> + <para> + Due to an inadvertent removal of code in the previous + release, when <command>named</command> encountered an + authoritative name server which dropped all EDNS queries, + it did not always try plain DNS. This has been corrected. + [RT #37965] + </para> + </listitem> + <listitem> + <para> + A regression caused nsupdate to use the default recursive servers + rather than the SOA MNAME server when sending the UPDATE. + </para> + </listitem> + <listitem> + <para> + Adjusted max-recursion-queries to better accommodate empty + caches. + </para> + </listitem> + <listitem> + <para> + Built-in "empty" zones did not correctly inherit the + "allow-transfer" ACL from the options or view. [RT #38310] + </para> + </listitem> + <listitem> + <para> + A mutex leak was fixed that could cause <command>named</command> + processes to grow to very large sizes. [RT #38454] + </para> + </listitem> + <listitem> + <para> + Fixed some bugs in RFC 5011 trust anchor management, + including a memory leak and a possible loss of state + information.[RT #38458] + </para> + </listitem> + </itemizedlist> + </sect2> + <sect2 id="end_of_life"> + <title>End of Life</title> + <para> + The BIND 9.9 (Extended Support Version) will be supported until June, 2017. + <ulink url="https://www.isc.org/downloads/software-support-policy/" + >https://www.isc.org/downloads/software-support-policy/</ulink> + </para> + </sect2> + <sect2 id="relnotes_thanks"> + <title>Thank You</title> + <para> + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + <ulink url="http://www.isc.org/donate/" + >http://www.isc.org/donate/</ulink>. + </para> + </sect2> +</sect1> |