Table of Contents
- -- This document summarizes changes since the last production release - of BIND on the corresponding major release branch. -
-- The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. - There you will find additional information about each release, - source code, and pre-compiled versions for Microsoft Windows - operating systems. -
-- A specially crafted query could trigger an assertion failure - in message.c -
-- This flaw was discovered by Jonathan Foote, and is disclosed - in CVE-2015-5477. [RT #39795] -
-- On servers configured to perform DNSSEC validation, an - assertion failure could be triggered on answers from - a specially configured server. -
-- This flaw was discovered by Breno Silveira Soares, and is - disclosed in CVE-2015-4620. [RT #39795] -
-- New quotas have been added to limit the queries that are - sent by recursive resolvers to authoritative servers - experiencing denial-of-service attacks. When configured, - these options can both reduce the harm done to authoritative - servers and also avoid the resource exhaustion that can be - experienced by recursives when they are being used as a - vehicle for such an attack. -
-- NOTE: These options are not available by default; use - configure --enable-fetchlimit to include - them in the build. -
-
- fetches-per-server limits the number of
- simultaneous queries that can be sent to any single
- authoritative server. The configured value is a starting
- point; it is automatically adjusted downward if the server is
- partially or completely non-responsive. The algorithm used to
- adjust the quota can be configured via the
- fetch-quota-params option.
-
- fetches-per-zone limits the number of
- simultaneous queries that can be sent for names within a
- single domain. (Note: Unlike "fetches-per-server", this
- value is not self-tuning.)
-
- Statistics counters have also been added to track the number - of queries affected by these quotas. -
-- An --enable-querytrace configure switch is - now available to enable very verbose query tracelogging. This - option can only be set at compile time. This option has a - negative performance impact and should be used only for - debugging. -
- EDNS COOKIE options content is now displayed as - "COOKIE: <hexvalue>". -
- Large inline-signing changes should be less disruptive.
- Signature generation is now done incrementally; the number
- of signatures to be generated in each quantum is controlled
- by "sig-signing-signatures number;".
- [RT #37927]
-
- Retrieving the local port range from net.ipv4.ip_local_port_range - on Linux is now supported. -
- Asynchronous zone loads were not handled correctly when the - zone load was already in progress; this could trigger a crash - in zt.c. [RT #37573] -
- A race during shutdown or reconfiguration could - cause an assertion failure in mem.c. [RT #38979] -
- Some answer formatting options didn't work correctly with - dig +short. [RT #39291] -
- The BIND 9.9 (Extended Support Version) will be supported until June, 2017. - https://www.isc.org/downloads/software-support-policy/ -
-- Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/donate/. -
-GNU make is required to build the export libraries (other part of BIND 9 can still be built with other types of make). In the reminder of this document, "make" means GNU make. Note that @@ -98,7 +98,7 @@
$./configure --enable-exportlib$[other flags]make@@ -113,7 +113,7 @@ $make$cd lib/export$make install@@ -135,7 +135,7 @@ $make install
Currently, win32 is not supported for the export library. (Normal BIND 9 application can be built as @@ -175,7 +175,7 @@ $
makeThe IRS library supports an "advanced" configuration file related to the DNS library for configuration parameters that would be beyond the capability of the @@ -193,14 +193,14 @@ $
makeSome sample application programs using this API are provided for reference. The following is a brief description of these applications.
It sends a query of a given name (of a given optional RR type) to a specified recursive server, and prints the result as a list of @@ -264,7 +264,7 @@ $
makeSimilar to "sample", but accepts a list of (query) domain names as a separate file and resolves the names @@ -305,7 +305,7 @@ $
makeIt sends a query to a specified server, and prints the response with minimal processing. It doesn't act as a @@ -346,7 +346,7 @@ $
makeThis is a test program to check getaddrinfo() and getnameinfo() behavior. It takes a @@ -363,7 +363,7 @@ $
makeIt accepts a single update command as a command-line argument, sends an update request message to the @@ -458,7 +458,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmIt checks a set of domains to see the name servers of the domains behave @@ -515,7 +515,7 @@ $
sample-update -a sample-update -k Kxxx.+nnn+mmAs of this writing, there is no formal "manual" of the libraries, except this document, header files (some of them provide pretty detailed explanations), and sample application diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html index a2bf96bcfd..b7c0ca78b2 100644 --- a/doc/arm/Bv9ARM.html +++ b/doc/arm/Bv9ARM.html @@ -233,19 +233,6 @@
Where Can I Get Help? A. Release Notes -B. A Brief History of the DNS and BIND C. General DNS Reference Information @@ -262,13 +249,13 @@I. Manual pages diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html index b1be2ba5c4..2a83878e03 100644 --- a/doc/arm/man.arpaname.html +++ b/doc/arm/man.arpaname.html @@ -50,20 +50,20 @@
arpaname{ipaddress...}-diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html index f88ae3b098..07f9280fc8 100644 --- a/doc/arm/man.ddns-confgen.html +++ b/doc/arm/man.ddns-confgen.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
arpaname translates IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
ddns-confgen[-a] [algorithm-h] [-k] [keyname-r] [ -srandomfilename| -zzone] [-q] [name]-diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html index c629cf9401..1229eb5997 100644 --- a/doc/arm/man.dig.html +++ b/doc/arm/man.dig.html @@ -52,7 +52,7 @@DESCRIPTION
+DESCRIPTION
ddns-confgen generates a key for use by nsupdate and named. It simplifies configuration @@ -77,7 +77,7 @@
dig[global-queryopt...] [query...]-DESCRIPTION
+DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and @@ -99,7 +99,7 @@
-QUERY OPTIONS
+QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of @@ -649,7 +649,7 @@
-MULTIPLE QUERIES
+MULTIPLE QUERIES
The BIND 9 implementation of dig supports @@ -695,7 +695,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-IDN SUPPORT
+IDN SUPPORT
If dig has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -709,14 +709,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-SEE ALSO
+SEE ALSO
host(1), named(8), dnssec-keygen(8), @@ -724,7 +724,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-BUGS
+BUGS
There are probably too many query options.
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html index bd48276375..a372b10c95 100644 --- a/doc/arm/man.dnssec-checkds.html +++ b/doc/arm/man.dnssec-checkds.html @@ -51,7 +51,7 @@
dnssec-dsfromkey[-l] [domain-f] [file-d] [dig path-D] {zone}dsfromkey path-diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html index b4454017c1..e2bbcae24d 100644 --- a/doc/arm/man.dnssec-coverage.html +++ b/doc/arm/man.dnssec-coverage.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified @@ -59,7 +59,7 @@
dnssec-coverage[-K] [directory-f] [file-d] [DNSKEY TTL-m] [max TTL-r] [interval-c] [zone]compilezone path-diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html index 2c8ad67f62..fd4abe6f2d 100644 --- a/doc/arm/man.dnssec-dsfromkey.html +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -52,14 +52,14 @@DESCRIPTION
+DESCRIPTION
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC @@ -78,7 +78,7 @@
dnssec-dsfromkey[-h] [-V]-DESCRIPTION
+DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-FILES
+FILES
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiiior the full file name @@ -179,13 +179,13 @@-diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 43393218b3..7a01cb4a55 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -195,7 +195,7 @@
dnssec-keyfromlabel{-llabel} [-3] [-a] [algorithm-A] [date/offset-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-I] [date/offset-i] [interval-k] [-K] [directory-L] [ttl-n] [nametype-P] [date/offset-p] [protocol-R] [date/offset-S] [key-t] [type-v] [level-V] [-y] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keyfromlabel generates a key pair of files that referencing a key object stored in a cryptographic hardware service module (HSM). The private key @@ -66,7 +66,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -281,7 +281,7 @@
-GENERATED KEY FILES
+GENERATED KEY FILES
When dnssec-keyfromlabel completes successfully, @@ -320,7 +320,7 @@
-diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html index b9a415abdb..dd20338bb5 100644 --- a/doc/arm/man.dnssec-keygen.html +++ b/doc/arm/man.dnssec-keygen.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -328,7 +328,7 @@
dnssec-keygen[-a] [algorithm-b] [keysize-n] [nametype-3] [-A] [date/offset-C] [-c] [class-D] [date/offset-E] [engine-f] [flag-G] [-g] [generator-h] [-I] [date/offset-i] [interval-K] [directory-L] [ttl-k] [-P] [date/offset-p] [protocol-q] [-R] [date/offset-r] [randomdev-S] [key-s] [strength-t] [type-v] [level-V] [-z] {name}-DESCRIPTION
+DESCRIPTION
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with @@ -64,7 +64,7 @@
-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -354,7 +354,7 @@
-EXAMPLE
+EXAMPLE
To generate a 768-bit DSA key for the domain
example.com, the following command would be @@ -421,7 +421,7 @@-diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html index ed6b8634bb..8e73edda97 100644 --- a/doc/arm/man.dnssec-revoke.html +++ b/doc/arm/man.dnssec-revoke.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, @@ -430,7 +430,7 @@
dnssec-revoke[-hr] [-v] [level-V] [-K] [directory-E] [engine-f] [-R] {keyfile}-diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html index 848e64f807..c1bf9c2ea1 100644 --- a/doc/arm/man.dnssec-settime.html +++ b/doc/arm/man.dnssec-settime.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the @@ -58,7 +58,7 @@
dnssec-settime[-f] [-K] [directory-L] [ttl-P] [date/offset-A] [date/offset-R] [date/offset-I] [date/offset-D] [date/offset-h] [-V] [-v] [level-E] {keyfile}engine-DESCRIPTION
+DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the
-P,-A, @@ -76,7 +76,7 @@-TIMING OPTIONS
+TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as @@ -203,7 +203,7 @@
-PRINTING OPTIONS
+PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata associated with a key. @@ -229,7 +229,7 @@
-diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html index e03b549c07..2d0b32fd24 100644 --- a/doc/arm/man.dnssec-signzone.html +++ b/doc/arm/man.dnssec-signzone.html @@ -50,7 +50,7 @@SEE ALSO
+SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, @@ -237,7 +237,7 @@
dnssec-signzone[-a] [-c] [class-d] [directory-D] [-E] [engine-e] [end-time-f] [output-file-g] [-h] [-K] [directory-k] [key-L] [serial-l] [domain-i] [interval-I] [input-format-j] [jitter-N] [soa-serial-format-o] [origin-O] [output-format-P] [-p] [-R] [-r] [randomdev-S] [-s] [start-time-T] [ttl-t] [-u] [-v] [level-V] [-X] [extended end-time-x] [-z] [-3] [salt-H] [iterations-A] {zonefile} [key...]-DESCRIPTION
+DESCRIPTION
dnssec-signzone signs a zone. It generates NSEC and RRSIG records and produces a signed version of the @@ -61,7 +61,7 @@
-diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html index 2c4c2ee383..3c43f041a0 100644 --- a/doc/arm/man.dnssec-verify.html +++ b/doc/arm/man.dnssec-verify.html @@ -50,7 +50,7 @@EXAMPLE
+EXAMPLE
The following command signs the
example.comzone with the DSA key generated by dnssec-keygen @@ -513,14 +513,14 @@ db.example.com.signed %
dnssec-verify[-c] [class-E] [engine-I] [input-format-o] [origin-v] [level-V] [-x] [-z] {zonefile}-diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html index 1b0eb3c8ee..1845dacdbd 100644 --- a/doc/arm/man.genrandom.html +++ b/doc/arm/man.genrandom.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 @@ -58,7 +58,7 @@
genrandom[-n] {numbersize} {filename}-diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index d360a7f26b..897211061e 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
genrandom generates a file or a set of files containing a specified quantity @@ -59,7 +59,7 @@
host[-aCdlnrsTwv] [-c] [class-N] [ndots-R] [number-t] [type-W] [wait-m] [flag-4] [-6] [-v] [-V] {name} [server]-DESCRIPTION
+DESCRIPTION
host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. @@ -206,7 +206,7 @@
-IDN SUPPORT
+IDN SUPPORT
If host has been built with IDN (internationalized domain name) support, it can accept and display non-ASCII domain names. @@ -220,12 +220,12 @@
-SEE ALSO
+SEE ALSO
dig(1), named(8).
diff --git a/doc/arm/man.isc-hmac-fixup.html b/doc/arm/man.isc-hmac-fixup.html index 520a661f34..5776e46417 100644 --- a/doc/arm/man.isc-hmac-fixup.html +++ b/doc/arm/man.isc-hmac-fixup.html @@ -50,7 +50,7 @@
isc-hmac-fixup{algorithm} {secret}-DESCRIPTION
+DESCRIPTION
Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC-SHA* TSIG keys which were longer than the digest length of the @@ -76,7 +76,7 @@
-diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html index 5090d7ad6e..cd62cb30a0 100644 --- a/doc/arm/man.named-checkconf.html +++ b/doc/arm/man.named-checkconf.html @@ -50,7 +50,7 @@SECURITY CONSIDERATIONS
+SECURITY CONSIDERATIONS
Secrets that have been converted by isc-hmac-fixup are shortened, but as this is how the HMAC protocol works in @@ -87,14 +87,14 @@
named-checkconf[-h] [-v] [-j] [-t] {filename} [directory-p] [-x] [-z]-DESCRIPTION
+DESCRIPTION
named-checkconf checks the syntax, but not the semantics, of a named configuration file. The file is parsed @@ -70,7 +70,7 @@
-diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html index b408b1fa62..89cf24c8b0 100644 --- a/doc/arm/man.named-checkzone.html +++ b/doc/arm/man.named-checkzone.html @@ -51,7 +51,7 @@RETURN VALUES
+RETURN VALUES
named-checkconf returns an exit status of 1 if errors were detected and 0 otherwise.
named-compilezone[-d] [-j] [-q] [-v] [-c] [class-C] [mode-f] [format-F] [format-i] [mode-k] [mode-m] [mode-n] [mode-L] [serial-r] [mode-s] [style-t] [directory-T] [mode-w] [directory-D] [-W] {mode-o} {zonename} {filename}filename-DESCRIPTION
+DESCRIPTION
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -71,7 +71,7 @@
-diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html index d8855f2a9a..2b7952e764 100644 --- a/doc/arm/man.named-journalprint.html +++ b/doc/arm/man.named-journalprint.html @@ -50,7 +50,7 @@RETURN VALUES
+RETURN VALUES
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
named-journalprint{journal}-diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html index 8b8a854dc5..3704f40330 100644 --- a/doc/arm/man.named.html +++ b/doc/arm/man.named.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
named-journalprint prints the contents of a zone journal file in a human-readable @@ -76,7 +76,7 @@
named[-4] [-6] [-c] [config-file-d] [debug-level-E] [engine-name-f] [-g] [-M] [option-m] [flag-n] [#cpus-p] [port-s] [-S] [#max-socks-t] [directory-U] [#listeners-u] [user-v] [-V] [-x]cache-file-DESCRIPTION
+DESCRIPTION
named is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more @@ -65,7 +65,7 @@
-SIGNALS
+SIGNALS
In routine operation, signals should not be used to control the nameserver; rndc should be used @@ -287,7 +287,7 @@
-diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html index 24863b5f04..b819135757 100644 --- a/doc/arm/man.nsec3hash.html +++ b/doc/arm/man.nsec3hash.html @@ -48,7 +48,7 @@CONFIGURATION
+CONFIGURATION
The named configuration file is too complex to describe in detail here. A complete description is provided @@ -304,7 +304,7 @@
nsec3hash{salt} {algorithm} {iterations} {domain}-diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html index 25c9c2056a..381d13732e 100644 --- a/doc/arm/man.nsupdate.html +++ b/doc/arm/man.nsupdate.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity @@ -56,7 +56,7 @@
nsupdate[-d] [-D] [-L] [[level-g] | [-o] | [-l] | [-y] | [[hmac:]keyname:secret-k]] [keyfile-t] [timeout-u] [udptimeout-r] [udpretries-R] [randomdev-v] [-V] [filename]-DESCRIPTION
+DESCRIPTION
nsupdate is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. @@ -108,7 +108,7 @@
-BUGS
+BUGS
The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html index 975f7bcc4d..6057f7dd90 100644 --- a/doc/arm/man.rndc-confgen.html +++ b/doc/arm/man.rndc-confgen.html @@ -50,7 +50,7 @@
rndc-confgen[-a] [-b] [keysize-c] [keyfile-h] [-k] [keyname-p] [port-r] [randomfile-s] [address-t] [chrootdir-u]user-diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html index f745ef16dd..25425e3e2a 100644 --- a/doc/arm/man.rndc.conf.html +++ b/doc/arm/man.rndc.conf.html @@ -50,7 +50,7 @@DESCRIPTION
+DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as a @@ -66,7 +66,7 @@
rndc.conf-DESCRIPTION
+DESCRIPTION
rndc.confis the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to @@ -135,7 +135,7 @@-diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html index bb2fdede56..82b88ab12e 100644 --- a/doc/arm/man.rndc.html +++ b/doc/arm/man.rndc.html @@ -50,7 +50,7 @@NAME SERVER CONFIGURATION
+NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to recognize the key specified in the
rndc.conf@@ -219,7 +219,7 @@
rndc[-b] [source-address-c] [config-file-k] [key-file-s] [server-p] [port-V] [-y] {command}key_id-DESCRIPTION
+DESCRIPTION
rndc controls the operation of a name server. It supersedes the ndc utility @@ -79,7 +79,7 @@
-COMMANDS
+COMMANDS
A list of commands supported by rndc can be seen by running rndc without arguments. @@ -543,7 +543,7 @@
-diff --git a/doc/arm/notes.html b/doc/arm/notes.html index f296238266..c2670d314e 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -19,162 +19,5 @@LIMITATIONS
+LIMITATIONS
There is currently no way to provide the shared secret for a
key_idwithout using the configuration file. @@ -553,7 +553,7 @@- +- -- --- This document summarizes changes since the last production release - of BIND on the corresponding major release branch. -
-- --- The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. - There you will find additional information about each release, - source code, and pre-compiled versions for Microsoft Windows - operating systems. -
-- ----
- -
-- A specially crafted query could trigger an assertion failure - in message.c -
-- This flaw was discovered by Jonathan Foote, and is disclosed - in CVE-2015-5477. [RT #39795] -
-- -
-- On servers configured to perform DNSSEC validation, an - assertion failure could be triggered on answers from - a specially configured server. -
-- This flaw was discovered by Breno Silveira Soares, and is - disclosed in CVE-2015-4620. [RT #39795] -
-- ----
- -
-- New quotas have been added to limit the queries that are - sent by recursive resolvers to authoritative servers - experiencing denial-of-service attacks. When configured, - these options can both reduce the harm done to authoritative - servers and also avoid the resource exhaustion that can be - experienced by recursives when they are being used as a - vehicle for such an attack. -
-- NOTE: These options are not available by default; use - configure --enable-fetchlimit to include - them in the build. -
---
- -
-
fetches-per-serverlimits the number of - simultaneous queries that can be sent to any single - authoritative server. The configured value is a starting - point; it is automatically adjusted downward if the server is - partially or completely non-responsive. The algorithm used to - adjust the quota can be configured via the -fetch-quota-paramsoption. -- -
-
fetches-per-zonelimits the number of - simultaneous queries that can be sent for names within a - single domain. (Note: Unlike "fetches-per-server", this - value is not self-tuning.) -- Statistics counters have also been added to track the number - of queries affected by these quotas. -
-- -
- An --enable-querytrace configure switch is - now available to enable very verbose query tracelogging. This - option can only be set at compile time. This option has a - negative performance impact and should be used only for - debugging. -
- -
- EDNS COOKIE options content is now displayed as - "COOKIE: <hexvalue>". -
- ----
- -
- Large inline-signing changes should be less disruptive. - Signature generation is now done incrementally; the number - of signatures to be generated in each quantum is controlled - by "sig-signing-signatures
number;". - [RT #37927] -- -
- Retrieving the local port range from net.ipv4.ip_local_port_range - on Linux is now supported. -
- ----
- -
- Asynchronous zone loads were not handled correctly when the - zone load was already in progress; this could trigger a crash - in zt.c. [RT #37573] -
- -
- A race during shutdown or reconfiguration could - cause an assertion failure in mem.c. [RT #38979] -
- -
- Some answer formatting options didn't work correctly with - dig +short. [RT #39291] -
- --- The BIND 9.9 (Extended Support Version) will be supported until June, 2017. - https://www.isc.org/downloads/software-support-policy/ -
-- --- Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/donate/. -
-<xi:include></xi:include>