- BIND 9.15 is an unstable development release of BIND. - This document summarizes new features and functional changes that - have been introduced on this branch. With each development release - leading up to the stable BIND 9.16 release, this document will be - updated with additional features added and bugs fixed. -
-+ BIND 9.15 is an unstable development release of BIND. + This document summarizes new features and functional changes that + have been introduced on this branch. With each development release + leading up to the stable BIND 9.16 release, this document will be + updated with additional features added and bugs fixed. +
+- Until BIND 9.12, new feature development releases were tagged - as "alpha" and "beta", leading up to the first stable release - for a given development branch, which always ended in ".0". - More recently, BIND adopted the "odd-unstable/even-stable" - release numbering convention. There will be no "alpha" or "beta" - releases in the 9.15 branch, only increasing version numbers. - So, for example, what would previously have been called 9.15.0a1, - 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, - 9.15.1, 9.15.2, etc. -
-- The first stable release from this development branch will be - renamed as 9.16.0. Thereafter, maintenance releases will continue - on the 9.16 branch, while unstable feature development proceeds in - 9.17. -
-+ Until BIND 9.12, new feature development releases were tagged + as "alpha" and "beta", leading up to the first stable release + for a given development branch, which always ended in ".0". + More recently, BIND adopted the "odd-unstable/even-stable" + release numbering convention. There will be no "alpha" or "beta" + releases in the 9.15 branch, only increasing version numbers. + So, for example, what would previously have been called 9.15.0a1, + 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, + 9.15.1, 9.15.2, etc. +
++ The first stable release from this development branch will be + renamed as 9.16.0. Thereafter, maintenance releases will continue + on the 9.16 branch, while unstable feature development proceeds in + 9.17. +
+- To build on UNIX-like systems, BIND requires support for POSIX.1c - threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for - IPv6 (RFC 3542), and standard atomic operations provided by the - C compiler. -
-- The OpenSSL cryptography library must be available for the target - platform. A PKCS#11 provider can be used instead for Public Key - cryptography (i.e., DNSSEC signing and validation), but OpenSSL is - still required for general cryptography operations such as hashing - and random number generation. -
-
- More information can be found in the PLATFORMS.md
- file that is included in the source distribution of BIND 9. If your
- compiler and system libraries provide the above features, BIND 9
- should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
-
+ To build on UNIX-like systems, BIND requires support for POSIX.1c + threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for + IPv6 (RFC 3542), and standard atomic operations provided by the + C compiler. +
++ The OpenSSL cryptography library must be available for the target + platform. A PKCS#11 provider can be used instead for Public Key + cryptography (i.e., DNSSEC signing and validation), but OpenSSL is + still required for general cryptography operations such as hashing + and random number generation. +
+
+ More information can be found in the PLATFORMS.md
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+
- The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. - There you will find additional information about each release, - source code, and pre-compiled versions for Microsoft Windows - operating systems. -
-+ The latest versions of BIND 9 software can always be found at + http://www.isc.org/downloads/. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. +
+- In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] -
-+ The TCP client quota set using the tcp-clients + option could be exceeded in some cases. This could lead to + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] +
+- The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. This flaw is disclosed in - CVE-2018-5743. [GL #615] -
-+ In certain configurations, named could crash + with an assertion failure if nxdomain-redirect + was in use and a redirected query resulted in an NXDOMAIN from the + cache. This flaw is disclosed in CVE-2019-6467. [GL #880] +
+- A race condition could trigger an assertion failure when - a large number of incoming packets were being rejected. - This flaw is disclosed in CVE-2019-6471. [GL #942] -
-+ A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942] +
+- Added a new command line option to dig: - <comand>+[no]unexpected</comand>. By default, dig - won't accept a reply from a source other than the one to which - it sent the query. Add the +unexpected argument - to enable it to process replies from unexpected sources. -
-+ Added a new command line option to dig: + +[no]unexpected. By default, dig + won't accept a reply from a source other than the one to which + it sent the query. Add the +unexpected argument + to enable it to process replies from unexpected sources. +
+- The GeoIP2 API from MaxMind is now supported. Geolocation support - will be compiled in by default if the libmaxminddb - library is found at compile time, but can be turned off by using - configure --disable-geoip. -
-
- The default path to the GeoIP2 databases will be set based
- on the location of the libmaxminddb library;
- for example, if it is in /usr/local/lib,
- then the default path will be
- /usr/local/share/GeoIP.
- This value can be overridden in named.conf
- using the geoip-directory option.
-
- Some geoip ACL settings that were available with - legacy GeoIP, including searches for netspeed, - org, and three-letter ISO country codes, will - no longer work when using GeoIP2. Supported GeoIP2 database - types are country, city, - domain, isp, and - as. All of these databases support both IPv4 - and IPv6 lookups. [GL #182] [GL #1112] -
-+ The GeoIP2 API from MaxMind is now supported. Geolocation support + will be compiled in by default if the libmaxminddb + library is found at compile time, but can be turned off by using + configure --disable-geoip. +
+
+ The default path to the GeoIP2 databases will be set based
+ on the location of the libmaxminddb library;
+ for example, if it is in /usr/local/lib,
+ then the default path will be
+ /usr/local/share/GeoIP.
+ This value can be overridden in named.conf
+ using the geoip-directory option.
+
+ Some geoip ACL settings that were available with + legacy GeoIP, including searches for netspeed, + org, and three-letter ISO country codes, will + no longer work when using GeoIP2. Supported GeoIP2 database + types are country, city, + domain, isp, and + as. All of these databases support both IPv4 + and IPv6 lookups. [GL #182] [GL #1112] +
+- In order to clarify the configuration of DNSSEC keys, - the trusted-keys and - managed-keys statements have been - deprecated, and the new dnssec-keys - statement should now be used for both types of key. -
-- When used with the keyword initial-key, - dnssec-keys has the same behavior as - managed-keys, i.e., it configures - a trust anchor that is to be maintained via RFC 5011. -
-- When used with the new keyword static-key, it - has the same behavior as trusted-keys, - configuring a permanent trust anchor that will not automatically - be updated. (This usage is not recommended for the root key.) - [GL #6] -
-+ In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. +
++ When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. +
++ When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] +
+- The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] -
-+ The new add-soa option specifies whether + or not the response-policy zone's SOA record + should be included in the additional section of RPZ responses. + [GL #865] +
+- Two new metrics have been added to the - statistics-channel to report DNSSEC - signing operations. For each key in each zone, the - dnssec-sign counter indicates the total - number of signatures named has generated - using that key since server startup, and the - dnssec-refresh counter indicates how - many of those signatures were refreshed during zone - maintenance, as opposed to having been generated - as a result of a zone update. [GL #513] -
-+ Two new metrics have been added to the + statistics-channel to report DNSSEC + signing operations. For each key in each zone, the + dnssec-sign counter indicates the total + number of signatures named has generated + using that key since server startup, and the + dnssec-refresh counter indicates how + many of those signatures were refreshed during zone + maintenance, as opposed to having been generated + as a result of a zone update. [GL #513] +
+- Statistics channel groups are now toggleable. [GL #1030] -
-+ Statistics channel groups are now toggleable. [GL #1030] +
+- dig, mdig and - delv can all now take a +yaml - option to print output in a a detailed YAML format. [RT #1145] -
-+ dig, mdig and + delv can all now take a +yaml + option to print output in a a detailed YAML format. [RT #1145] +
+- The dnssec-enable option has been obsoleted and - no longer has any effect. DNSSEC responses are always enabled - if signatures and other DNSSEC data are present. [GL #866] -
-+ The dnssec-enable option has been obsoleted and + no longer has any effect. DNSSEC responses are always enabled + if signatures and other DNSSEC data are present. [GL #866] +
+- The cleaning-interval option has been - removed. [GL !1731] -
-+ The cleaning-interval option has been + removed. [GL !1731] +
+
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The dnssec-lookaside option has been
- marked as deprecated; when used in named.conf,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, delv, and the DNSSEC tools.
- [GL #7]
-
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The dnssec-lookaside option has been
+ marked as deprecated; when used in named.conf,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, delv, and the DNSSEC tools.
+ [GL #7]
+
- named will now log a warning if - a static key is configured for the root zone. [GL #6] -
-+ named will now log a warning if + a static key is configured for the root zone. [GL #6] +
+
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- dnssec-validation was set to the default
- value of auto, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
-
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ dnssec-validation was set to the default
+ value of auto, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of dnssec-dsfromkey, the
- dsset files generated by
- dnssec-signzone, the DS records added to
- a zone by dnssec-signzone based on
- keyset files, the CDS records added to
- a zone by named and
- dnssec-signzone based on "sync" timing
- parameters in key files, and the checks performed by
- dnssec-checkds.
-
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of dnssec-dsfromkey, the
+ dsset files generated by
+ dnssec-signzone, the DS records added to
+ a zone by dnssec-signzone based on
+ keyset files, the CDS records added to
+ a zone by named and
+ dnssec-signzone based on "sync" timing
+ parameters in key files, and the checks performed by
+ dnssec-checkds.
+
- JSON-C is now the only supported library for enabling JSON - support for BIND statistics. The configure - option has been renamed from --with-libjson - to --with-json-c. Use - PKG_CONFIG_PATH to specify a custom path to - the json-c library as the new - configure option does not take the library - installation path as an optional argument. -
-+ JSON-C is now the only supported library for enabling JSON + support for BIND statistics. The configure + option has been renamed from --with-libjson + to --with-json-c. Use + PKG_CONFIG_PATH to specify a custom path to + the json-c library as the new + configure option does not take the library + installation path as an optional argument. +
+- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and - made default. Old non-default HMAC-SHA based DNS Cookie algorithms - have been removed, and only the default AES algorithm is being kept - for legacy reasons. This change doesn't have any operational impact - in most common scenarios. [GL #605] -
-- If you are running multiple DNS Servers (different versions of BIND 9 - or DNS server from multiple vendors) responding from the same IP - address (anycast or load-balancing scenarios), you'll have to make - sure that all the servers are configured with the same DNS Cookie - algorithm and same Server Secret for the best performance. -
-+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This change doesn't have any operational impact + in most common scenarios. [GL #605] +
++ If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. +
+- The information from the dnssec-signzone and - dnssec-verify commands is now printed to standard - output. The standard error output is only used to print warnings and - errors, and in case the user requests the signed zone to be printed to - standard output with -f - option. A new - configuration option -q has been added to silence - all output on standard output except for the name of the signed zone. -
-+ The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. +
+- DS records included in DNS referral messages can now be validated - and cached immediately, reducing the number of queries needed for - a DNSSEC validation. [GL #964] -
-+ DS records included in DNS referral messages can now be validated + and cached immediately, reducing the number of queries needed for + a DNSSEC validation. [GL #964] +
+- The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] -
-+ The allow-update and + allow-update-forwarding options were + inadvertently treated as configuration errors when used at the + options or view level. + This has now been corrected. + [GL #913] +
+- When qname-minimization was set to - relaxed, some improperly configured domains - would fail to resolve, but would have succeeded when minimization - was disabled. named will now fall back to normal - resolution in such cases, and also uses type A rather than NS for - minimal queries in order to reduce the likelihood of encountering - the problem. [GL #1055] -
-+ When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] +
+- ./configure no longer sets - --sysconfdir to /etc or - --localstatedir to /var - when --prefix is not specified and the - aforementioned options are not specified explicitly. Instead, - Autoconf's defaults of $prefix/etc and - $prefix/var are respected. -
-+ ./configure no longer sets + --sysconfdir to /etc or + --localstatedir to /var + when --prefix is not specified and the + aforementioned options are not specified explicitly. Instead, + Autoconf's defaults of $prefix/etc and + $prefix/var are respected. +
+- Glue address records were not being returned in responses - to root priming queries; this has been corrected. [GL #1092] -
-+ Glue address records were not being returned in responses + to root priming queries; this has been corrected. [GL #1092] +
+- Cache database statistics counters could report invalid values - when stale answers were enabled, because of a bug in counter - maintenance when cache data becomes stale. The statistics counters - have been corrected to report the number of RRsets for each - RR type that are active, stale but still potentially served, - or stale and marked for deletion. [GL #602] -
-+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could + cause unexpected results; this has been fixed. [GL #1106] +
+- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could - cause unexpected results; this has been fixed. [GL #1106] -
-+ named-checkconf now checks DNS64 prefixes + to ensure bits 64-71 are zero. [GL #1159] +
+- named-checkconf now checks DNS64 prefixes - to ensure bits 64-71 are zero. [GL #1159] -
-+ named-checkconf now correctly reports a missing + dnstap-output option when + dnstap is set. [GL #1136] +
+- named-checkconf now correctly reports - a missing dnstap-output option when - dnstap is set. [GL #1136] -
-+ Handle ETIMEDOUT error on connect() with a non-blocking + socket. [GL #1133] +
+- Handle ETIMEDOUT error on connect() with a non-blocking - socket. [GL #1133] -
-+ Cache database statistics counters could report invalid values + when stale answers were enabled, because of a bug in counter + maintenance when cache data becomes stale. The statistics counters + have been corrected to report the number of RRsets for each + RR type that are active, stale but still potentially served, + or stale and marked for deletion. [GL #602] +
+- dig now correctly expands the IPv6 address - when run with +expandaaaa +short. [GL #1152] -
-+ dig now correctly expands the IPv6 address + when run with +expandaaaa +short. [GL #1152] +
+- When a response-policy zone expires, ensure - that its policies are removed from the RPZ summary database. - [GL #1146] -
-+ When a response-policy zone expires, ensure + that its policies are removed from the RPZ summary database. + [GL #1146] +
+
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the LICENSE
- file for the full text).
-
- The license requires that if you make changes to BIND and distribute - them outside your organization, those changes must be published under - the same license. It does not require that you publish or disclose - anything other than the changes you have made to our software. This - requirement does not affect anyone who is using BIND, with or without - modifications, without redistributing it, nor anyone redistributing - BIND without changes. -
-- Those wishing to discuss license compliance may contact ISC at - - https://www.isc.org/mission/contact/. -
-
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the LICENSE
+ file for the full text).
+
+ The license requires that if you make changes to BIND and distribute + them outside your organization, those changes must be published under + the same license. It does not require that you publish or disclose + anything other than the changes you have made to our software. This + requirement does not affect anyone who is using BIND, with or without + modifications, without redistributing it, nor anyone redistributing + BIND without changes. +
++ Those wishing to discuss license compliance may contact ISC at + + https://www.isc.org/mission/contact/. +
+- BIND 9.15 is an unstable development branch. When its development - is complete, it will be renamed to BIND 9.16, which will be a - stable branch. -
-- The end of life date for BIND 9.16 has not yet been determined. - For those needing long term support, the current Extended Support - Version (ESV) is BIND 9.11, which will be supported until at - least December 2021. See - https://www.isc.org/downloads/software-support-policy/ - for details of ISC's software support policy. -
-+ BIND 9.15 is an unstable development branch. When its development + is complete, it will be renamed to BIND 9.16, which will be a + stable branch. +
++ The end of life date for BIND 9.16 has not yet been determined. + For those needing long term support, the current Extended Support + Version (ESV) is BIND 9.11, which will be supported until at + least December 2021. See + https://www.isc.org/downloads/software-support-policy/ + for details of ISC's software support policy. +
+- Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/donate/. -
-+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/donate/. +
+- Until BIND 9.12, new feature development releases were tagged - as "alpha" and "beta", leading up to the first stable release - for a given development branch, which always ended in ".0". - More recently, BIND adopted the "odd-unstable/even-stable" - release numbering convention. There will be no "alpha" or "beta" - releases in the 9.15 branch, only increasing version numbers. - So, for example, what would previously have been called 9.15.0a1, - 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, - 9.15.1, 9.15.2, etc. -
-- The first stable release from this development branch will be - renamed as 9.16.0. Thereafter, maintenance releases will continue - on the 9.16 branch, while unstable feature development proceeds in - 9.17. -
-+ Until BIND 9.12, new feature development releases were tagged + as "alpha" and "beta", leading up to the first stable release + for a given development branch, which always ended in ".0". + More recently, BIND adopted the "odd-unstable/even-stable" + release numbering convention. There will be no "alpha" or "beta" + releases in the 9.15 branch, only increasing version numbers. + So, for example, what would previously have been called 9.15.0a1, + 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0, + 9.15.1, 9.15.2, etc. +
++ The first stable release from this development branch will be + renamed as 9.16.0. Thereafter, maintenance releases will continue + on the 9.16 branch, while unstable feature development proceeds in + 9.17. +
+- To build on UNIX-like systems, BIND requires support for POSIX.1c - threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for - IPv6 (RFC 3542), and standard atomic operations provided by the - C compiler. -
-- The OpenSSL cryptography library must be available for the target - platform. A PKCS#11 provider can be used instead for Public Key - cryptography (i.e., DNSSEC signing and validation), but OpenSSL is - still required for general cryptography operations such as hashing - and random number generation. -
-
- More information can be found in the PLATFORMS.md
- file that is included in the source distribution of BIND 9. If your
- compiler and system libraries provide the above features, BIND 9
- should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
-
+ To build on UNIX-like systems, BIND requires support for POSIX.1c + threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for + IPv6 (RFC 3542), and standard atomic operations provided by the + C compiler. +
++ The OpenSSL cryptography library must be available for the target + platform. A PKCS#11 provider can be used instead for Public Key + cryptography (i.e., DNSSEC signing and validation), but OpenSSL is + still required for general cryptography operations such as hashing + and random number generation. +
+
+ More information can be found in the PLATFORMS.md
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+
- The latest versions of BIND 9 software can always be found at - http://www.isc.org/downloads/. - There you will find additional information about each release, - source code, and pre-compiled versions for Microsoft Windows - operating systems. -
-+ The latest versions of BIND 9 software can always be found at + http://www.isc.org/downloads/. + There you will find additional information about each release, + source code, and pre-compiled versions for Microsoft Windows + operating systems. +
+- In certain configurations, named could crash - with an assertion failure if nxdomain-redirect - was in use and a redirected query resulted in an NXDOMAIN from the - cache. This flaw is disclosed in CVE-2019-6467. [GL #880] -
-+ The TCP client quota set using the tcp-clients + option could be exceeded in some cases. This could lead to + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] +
+- The TCP client quota set using the tcp-clients - option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. This flaw is disclosed in - CVE-2018-5743. [GL #615] -
-+ In certain configurations, named could crash + with an assertion failure if nxdomain-redirect + was in use and a redirected query resulted in an NXDOMAIN from the + cache. This flaw is disclosed in CVE-2019-6467. [GL #880] +
+- A race condition could trigger an assertion failure when - a large number of incoming packets were being rejected. - This flaw is disclosed in CVE-2019-6471. [GL #942] -
-+ A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942] +
+- Added a new command line option to dig: - <comand>+[no]unexpected</comand>. By default, dig - won't accept a reply from a source other than the one to which - it sent the query. Add the +unexpected argument - to enable it to process replies from unexpected sources. -
-+ Added a new command line option to dig: + +[no]unexpected. By default, dig + won't accept a reply from a source other than the one to which + it sent the query. Add the +unexpected argument + to enable it to process replies from unexpected sources. +
+- The GeoIP2 API from MaxMind is now supported. Geolocation support - will be compiled in by default if the libmaxminddb - library is found at compile time, but can be turned off by using - configure --disable-geoip. -
-
- The default path to the GeoIP2 databases will be set based
- on the location of the libmaxminddb library;
- for example, if it is in /usr/local/lib,
- then the default path will be
- /usr/local/share/GeoIP.
- This value can be overridden in named.conf
- using the geoip-directory option.
-
- Some geoip ACL settings that were available with - legacy GeoIP, including searches for netspeed, - org, and three-letter ISO country codes, will - no longer work when using GeoIP2. Supported GeoIP2 database - types are country, city, - domain, isp, and - as. All of these databases support both IPv4 - and IPv6 lookups. [GL #182] [GL #1112] -
-+ The GeoIP2 API from MaxMind is now supported. Geolocation support + will be compiled in by default if the libmaxminddb + library is found at compile time, but can be turned off by using + configure --disable-geoip. +
+
+ The default path to the GeoIP2 databases will be set based
+ on the location of the libmaxminddb library;
+ for example, if it is in /usr/local/lib,
+ then the default path will be
+ /usr/local/share/GeoIP.
+ This value can be overridden in named.conf
+ using the geoip-directory option.
+
+ Some geoip ACL settings that were available with + legacy GeoIP, including searches for netspeed, + org, and three-letter ISO country codes, will + no longer work when using GeoIP2. Supported GeoIP2 database + types are country, city, + domain, isp, and + as. All of these databases support both IPv4 + and IPv6 lookups. [GL #182] [GL #1112] +
+- In order to clarify the configuration of DNSSEC keys, - the trusted-keys and - managed-keys statements have been - deprecated, and the new dnssec-keys - statement should now be used for both types of key. -
-- When used with the keyword initial-key, - dnssec-keys has the same behavior as - managed-keys, i.e., it configures - a trust anchor that is to be maintained via RFC 5011. -
-- When used with the new keyword static-key, it - has the same behavior as trusted-keys, - configuring a permanent trust anchor that will not automatically - be updated. (This usage is not recommended for the root key.) - [GL #6] -
-+ In order to clarify the configuration of DNSSEC keys, + the trusted-keys and + managed-keys statements have been + deprecated, and the new dnssec-keys + statement should now be used for both types of key. +
++ When used with the keyword initial-key, + dnssec-keys has the same behavior as + managed-keys, i.e., it configures + a trust anchor that is to be maintained via RFC 5011. +
++ When used with the new keyword static-key, it + has the same behavior as trusted-keys, + configuring a permanent trust anchor that will not automatically + be updated. (This usage is not recommended for the root key.) + [GL #6] +
+- The new add-soa option specifies whether - or not the response-policy zone's SOA record - should be included in the additional section of RPZ responses. - [GL #865] -
-+ The new add-soa option specifies whether + or not the response-policy zone's SOA record + should be included in the additional section of RPZ responses. + [GL #865] +
+- Two new metrics have been added to the - statistics-channel to report DNSSEC - signing operations. For each key in each zone, the - dnssec-sign counter indicates the total - number of signatures named has generated - using that key since server startup, and the - dnssec-refresh counter indicates how - many of those signatures were refreshed during zone - maintenance, as opposed to having been generated - as a result of a zone update. [GL #513] -
-+ Two new metrics have been added to the + statistics-channel to report DNSSEC + signing operations. For each key in each zone, the + dnssec-sign counter indicates the total + number of signatures named has generated + using that key since server startup, and the + dnssec-refresh counter indicates how + many of those signatures were refreshed during zone + maintenance, as opposed to having been generated + as a result of a zone update. [GL #513] +
+- Statistics channel groups are now toggleable. [GL #1030] -
-+ Statistics channel groups are now toggleable. [GL #1030] +
+- dig, mdig and - delv can all now take a +yaml - option to print output in a a detailed YAML format. [RT #1145] -
-+ dig, mdig and + delv can all now take a +yaml + option to print output in a a detailed YAML format. [RT #1145] +
+- The dnssec-enable option has been obsoleted and - no longer has any effect. DNSSEC responses are always enabled - if signatures and other DNSSEC data are present. [GL #866] -
-+ The dnssec-enable option has been obsoleted and + no longer has any effect. DNSSEC responses are always enabled + if signatures and other DNSSEC data are present. [GL #866] +
+- The cleaning-interval option has been - removed. [GL !1731] -
-+ The cleaning-interval option has been + removed. [GL !1731] +
+
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The dnssec-lookaside option has been
- marked as deprecated; when used in named.conf,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, delv, and the DNSSEC tools.
- [GL #7]
-
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The dnssec-lookaside option has been
+ marked as deprecated; when used in named.conf,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, delv, and the DNSSEC tools.
+ [GL #7]
+
- named will now log a warning if - a static key is configured for the root zone. [GL #6] -
-+ named will now log a warning if + a static key is configured for the root zone. [GL #6] +
+
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- dnssec-validation was set to the default
- value of auto, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
-
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ dnssec-validation was set to the default
+ value of auto, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of dnssec-dsfromkey, the
- dsset files generated by
- dnssec-signzone, the DS records added to
- a zone by dnssec-signzone based on
- keyset files, the CDS records added to
- a zone by named and
- dnssec-signzone based on "sync" timing
- parameters in key files, and the checks performed by
- dnssec-checkds.
-
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of dnssec-dsfromkey, the
+ dsset files generated by
+ dnssec-signzone, the DS records added to
+ a zone by dnssec-signzone based on
+ keyset files, the CDS records added to
+ a zone by named and
+ dnssec-signzone based on "sync" timing
+ parameters in key files, and the checks performed by
+ dnssec-checkds.
+
- JSON-C is now the only supported library for enabling JSON - support for BIND statistics. The configure - option has been renamed from --with-libjson - to --with-json-c. Use - PKG_CONFIG_PATH to specify a custom path to - the json-c library as the new - configure option does not take the library - installation path as an optional argument. -
-+ JSON-C is now the only supported library for enabling JSON + support for BIND statistics. The configure + option has been renamed from --with-libjson + to --with-json-c. Use + PKG_CONFIG_PATH to specify a custom path to + the json-c library as the new + configure option does not take the library + installation path as an optional argument. +
+- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and - made default. Old non-default HMAC-SHA based DNS Cookie algorithms - have been removed, and only the default AES algorithm is being kept - for legacy reasons. This change doesn't have any operational impact - in most common scenarios. [GL #605] -
-- If you are running multiple DNS Servers (different versions of BIND 9 - or DNS server from multiple vendors) responding from the same IP - address (anycast or load-balancing scenarios), you'll have to make - sure that all the servers are configured with the same DNS Cookie - algorithm and same Server Secret for the best performance. -
-+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and + made default. Old non-default HMAC-SHA based DNS Cookie algorithms + have been removed, and only the default AES algorithm is being kept + for legacy reasons. This change doesn't have any operational impact + in most common scenarios. [GL #605] +
++ If you are running multiple DNS Servers (different versions of BIND 9 + or DNS server from multiple vendors) responding from the same IP + address (anycast or load-balancing scenarios), you'll have to make + sure that all the servers are configured with the same DNS Cookie + algorithm and same Server Secret for the best performance. +
+- The information from the dnssec-signzone and - dnssec-verify commands is now printed to standard - output. The standard error output is only used to print warnings and - errors, and in case the user requests the signed zone to be printed to - standard output with -f - option. A new - configuration option -q has been added to silence - all output on standard output except for the name of the signed zone. -
-+ The information from the dnssec-signzone and + dnssec-verify commands is now printed to standard + output. The standard error output is only used to print warnings and + errors, and in case the user requests the signed zone to be printed to + standard output with -f - option. A new + configuration option -q has been added to silence + all output on standard output except for the name of the signed zone. +
+- DS records included in DNS referral messages can now be validated - and cached immediately, reducing the number of queries needed for - a DNSSEC validation. [GL #964] -
-+ DS records included in DNS referral messages can now be validated + and cached immediately, reducing the number of queries needed for + a DNSSEC validation. [GL #964] +
+- The allow-update and - allow-update-forwarding options were - inadvertently treated as configuration errors when used at the - options or view level. - This has now been corrected. - [GL #913] -
-+ The allow-update and + allow-update-forwarding options were + inadvertently treated as configuration errors when used at the + options or view level. + This has now been corrected. + [GL #913] +
+- When qname-minimization was set to - relaxed, some improperly configured domains - would fail to resolve, but would have succeeded when minimization - was disabled. named will now fall back to normal - resolution in such cases, and also uses type A rather than NS for - minimal queries in order to reduce the likelihood of encountering - the problem. [GL #1055] -
-+ When qname-minimization was set to + relaxed, some improperly configured domains + would fail to resolve, but would have succeeded when minimization + was disabled. named will now fall back to normal + resolution in such cases, and also uses type A rather than NS for + minimal queries in order to reduce the likelihood of encountering + the problem. [GL #1055] +
+- ./configure no longer sets - --sysconfdir to /etc or - --localstatedir to /var - when --prefix is not specified and the - aforementioned options are not specified explicitly. Instead, - Autoconf's defaults of $prefix/etc and - $prefix/var are respected. -
-+ ./configure no longer sets + --sysconfdir to /etc or + --localstatedir to /var + when --prefix is not specified and the + aforementioned options are not specified explicitly. Instead, + Autoconf's defaults of $prefix/etc and + $prefix/var are respected. +
+- Glue address records were not being returned in responses - to root priming queries; this has been corrected. [GL #1092] -
-+ Glue address records were not being returned in responses + to root priming queries; this has been corrected. [GL #1092] +
+- Cache database statistics counters could report invalid values - when stale answers were enabled, because of a bug in counter - maintenance when cache data becomes stale. The statistics counters - have been corrected to report the number of RRsets for each - RR type that are active, stale but still potentially served, - or stale and marked for deletion. [GL #602] -
-+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could + cause unexpected results; this has been fixed. [GL #1106] +
+- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could - cause unexpected results; this has been fixed. [GL #1106] -
-+ named-checkconf now checks DNS64 prefixes + to ensure bits 64-71 are zero. [GL #1159] +
+- named-checkconf now checks DNS64 prefixes - to ensure bits 64-71 are zero. [GL #1159] -
-+ named-checkconf now correctly reports a missing + dnstap-output option when + dnstap is set. [GL #1136] +
+- named-checkconf now correctly reports - a missing dnstap-output option when - dnstap is set. [GL #1136] -
-+ Handle ETIMEDOUT error on connect() with a non-blocking + socket. [GL #1133] +
+- Handle ETIMEDOUT error on connect() with a non-blocking - socket. [GL #1133] -
-+ Cache database statistics counters could report invalid values + when stale answers were enabled, because of a bug in counter + maintenance when cache data becomes stale. The statistics counters + have been corrected to report the number of RRsets for each + RR type that are active, stale but still potentially served, + or stale and marked for deletion. [GL #602] +
+- dig now correctly expands the IPv6 address - when run with +expandaaaa +short. [GL #1152] -
-+ dig now correctly expands the IPv6 address + when run with +expandaaaa +short. [GL #1152] +
+- When a response-policy zone expires, ensure - that its policies are removed from the RPZ summary database. - [GL #1146] -
-+ When a response-policy zone expires, ensure + that its policies are removed from the RPZ summary database. + [GL #1146] +
+
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the LICENSE
- file for the full text).
-
- The license requires that if you make changes to BIND and distribute - them outside your organization, those changes must be published under - the same license. It does not require that you publish or disclose - anything other than the changes you have made to our software. This - requirement does not affect anyone who is using BIND, with or without - modifications, without redistributing it, nor anyone redistributing - BIND without changes. -
-- Those wishing to discuss license compliance may contact ISC at - - https://www.isc.org/mission/contact/. -
-
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the LICENSE
+ file for the full text).
+
+ The license requires that if you make changes to BIND and distribute + them outside your organization, those changes must be published under + the same license. It does not require that you publish or disclose + anything other than the changes you have made to our software. This + requirement does not affect anyone who is using BIND, with or without + modifications, without redistributing it, nor anyone redistributing + BIND without changes. +
++ Those wishing to discuss license compliance may contact ISC at + + https://www.isc.org/mission/contact/. +
+- BIND 9.15 is an unstable development branch. When its development - is complete, it will be renamed to BIND 9.16, which will be a - stable branch. -
-- The end of life date for BIND 9.16 has not yet been determined. - For those needing long term support, the current Extended Support - Version (ESV) is BIND 9.11, which will be supported until at - least December 2021. See - https://www.isc.org/downloads/software-support-policy/ - for details of ISC's software support policy. -
-+ BIND 9.15 is an unstable development branch. When its development + is complete, it will be renamed to BIND 9.16, which will be a + stable branch. +
++ The end of life date for BIND 9.16 has not yet been determined. + For those needing long term support, the current Extended Support + Version (ESV) is BIND 9.11, which will be supported until at + least December 2021. See + https://www.isc.org/downloads/software-support-policy/ + for details of ISC's software support policy. +
+- Thank you to everyone who assisted us in making this release possible. - If you would like to contribute to ISC to assist us in continuing to - make quality open source software, please visit our donations page at - http://www.isc.org/donate/. -
-+ Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/donate/. +
+