doc rebuild

README

@@ -143,6 +143,11 @@ addition to OpenSSL, BIND now requires support for IPv6, threads, and
 standard atomic operations provided by the C compiler. Non-threaded builds
 are no longer supported.
 
+BIND 9.14.1
+
+BIND 9.14.1 is a maintenance release, and addresses security
+vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
+
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,

bin/dnssec/dnssec-keygen.8

@@ -308,17 +308,18 @@ contains the private key\&.
 .PP
 The
 \&.key
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
+file contains a DNSKEY or KEY record\&. When a zone is being signed by
+\fBnamed\fR
+or
+\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
+\&.key
+file can be inserted into a zone file manually or with a
+\fB$INCLUDE\fR
+statement\&.
 .PP
 The
 \&.private
 file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
-.PP
-Both
-\&.key
-and
-\&.private
-files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
 .SH "EXAMPLE"
 .PP
 To generate an ECDSAP256SHA256 zone\-signing key for the zone

bin/dnssec/dnssec-keygen.html

@@ -462,10 +462,12 @@
       key.
     </p>
     <p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
+      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <span class="command"><strong>named</strong></span>
+      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+      records are included automatically. In other cases,
+      the <code class="filename">.key</code> file can be inserted into a zone file
+      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
     </p>
     <p>
       The <code class="filename">.private</code> file contains
@@ -473,11 +475,6 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-    <p>
-      Both <code class="filename">.key</code> and <code class="filename">.private</code>
-      files are generated for symmetric cryptography algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </p>
   </div>
 
   <div class="refsection">

doc/arm/Bv9ARM.ch01.html

@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch02.html

@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch03.html

@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch04.html

@@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch05.html

@@ -5192,15 +5192,21 @@ options {
                   When set in the <span class="command"><strong>zone</strong></span> statement for
                   a master zone, specifies which hosts are allowed to
                   submit Dynamic DNS updates to that zone.  The default
-                  is to deny updates from all hosts.  This can only
-                  be set at the <span class="command"><strong>zone</strong></span> level, not in
-                  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+                  is to deny updates from all hosts.
                 </p>
                 <p>
                   Note that allowing updates based on the
                   requestor's IP address is insecure; see
                   <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
                 </p>
+                <p>
+                  In general this option should only be set at the
+                  <span class="command"><strong>zone</strong></span> level. While a default
+                  value can be set at the <span class="command"><strong>options</strong></span> or
+                  <span class="command"><strong>view</strong></span> level and inherited by zones,
+                  this could lead to some zones unintentionally allowing
+                  updates.
+                </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
 <dd>
@@ -5210,9 +5216,7 @@ options {
                   submit Dynamic DNS updates and have them be forwarded
                   to the master.  The default is
                   <strong class="userinput"><code>{ none; }</code></strong>, which means that no
-                  update forwarding will be performed.  This can only be
-                  set at the <span class="command"><strong>zone</strong></span> level, not in
-                  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span>.
+                  update forwarding will be performed.
                 </p>
                 <p>
                   To enable update forwarding, specify
@@ -5230,6 +5234,14 @@ options {
                   on insecure IP-address-based access control; see
                   <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for more details.
                 </p>
+                <p>
+                  In general this option should only be set at the
+                  <span class="command"><strong>zone</strong></span> level. While a default
+                  value can be set at the <span class="command"><strong>options</strong></span> or
+                  <span class="command"><strong>view</strong></span> level and inherited by zones,
+                  this can lead to some zones unintentionally forwarding
+                  updates.
+                </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
 <dd>
@@ -6281,7 +6293,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 <p>
                   The number of file descriptors reserved for TCP, stdio,
                   etc.  This needs to be big enough to cover the number of
-                  interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+                  interfaces <span class="command"><strong>named</strong></span> listens on plus
+                  <span class="command"><strong>tcp-clients</strong></span>, as well as
                   to provide room for outgoing TCP queries and incoming zone
                   transfers.  The default is <code class="literal">512</code>.
                   The minimum value is <code class="literal">128</code> and the
@@ -8045,6 +8058,14 @@ example.com                 CNAME   rpz-tcp-only.
             zone. By default, all rewrites are logged.
           </p>
 
+          <p>
+            The <span class="command"><strong>add-soa</strong></span> option controls whether the RPZ's
+            SOA record is added to the additional section for traceback
+            of changes from this zone or not.  This can be set at the
+            individual policy zone level or at the response-policy level.
+            The default is <code class="literal">yes</code>.
+          </p>
+
           <p>
             Updates to RPZ zones are processed asynchronously; if there
             is more than one update pending they are bundled together.
@@ -14831,6 +14852,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch06.html

@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch07.html

@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch08.html

@@ -36,16 +36,16 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_issues">Known Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@@ -54,16 +54,15 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.0</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.14.0 is the first release of a new stable branch of BIND.
-      This document summarizes new features and functional changes
-      that have been introduced, as well as features that have been
-      deprecated or removed, since the last stable branch, 9.12.
+      BIND 9.14 is a stable branch of BIND.
+      This document summarizes significant changes since the last
+      production release on that branch.
     </p>
 <p>
     </p>
@@ -136,498 +135,62 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_issues"></a>Known Issues</h3></div></div></div>
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
+	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+	  was in use and a redirected query resulted in an NXDOMAIN from the
+	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+	  option could be exceeded in some cases. This could lead to
+	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	</p>
+      </li>
+</ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  A recent change in the <code class="filename">named.conf</code> parser
-	  resulted in <span class="command"><strong>allow-update</strong></span> being treated as a
-	  configuration error when set at the <span class="command"><strong>options</strong></span> or
-	  <span class="command"><strong>view</strong></span> level. This is not a secure configuration
-	  and the use of the option in this manner is ill-advised. However,
-	  in this release it should have been treated as a warning rather
-	  than a fatal error. This flaw was discovered too late to be
-	  fixed in 9.14.0, but it will be corrected in the 9.14.1
-	  maintenance release: global <span class="command"><strong>allow-update</strong></span> will
-	  again be permitted, but a warning will be logged.
+	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+	  should be included in the additional section of RPZ responses.
+	  [GL #865]
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+	<p>
+	  None.
 	</p>
       </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  Task manager and socket code have been substantially modified.
-	  The manager uses per-cpu queues for tasks and network stack runs
-	  multiple event loops in CPU-affinitive threads. This greatly
-	  improves performance on large systems, especially when using
-	  multi-queue NICs.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for QNAME minimization was added and enabled by default
-	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
-	  to normal resolution if the remote server returns something
-	  unexpected during the query minimization process. This default
-	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
-	  extension of query processing functionality through the use of
-	  external libraries. The new <code class="filename">filter-aaaa.so</code>
-	  plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
-	  was formerly implemented as a native part of BIND.
-	</p>
-	<p>
-	  The plugin API is a work in progress and is likely to evolve
-	  as further plugins are implemented. [GL #15]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
-	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
-	  of a zone's contents without acting as an authority for the
-	  zone. A zone must be fully validated against an active trust
-	  anchor before it can be used as a mirror zone. DNS responses
-	  from mirror zones do not set the AA bit ("authoritative answer"),
-	  but do set the AD bit ("authenticated data"). This feature is
-	  meant to facilitate deployment of a local copy of the root zone,
-	  as described in RFC 7706. [GL #33]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
-	  library to add IDNA2008 support.  Previously, BIND supported
-	  IDNA2003 using the (now obsolete and unsupported)
-	  <span class="command"><strong>idnkit-1</strong></span> library.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #37]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
-	  <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
-	  signatures covering DNSKEY RRsets. [GL #145]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
-	  library to set process privileges.  The adds a new compile-time
-	  dependency, which can be met on most Linux platforms by installing the
-	  <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
-	  package. BIND can also be built without capability support by using
-	  <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
-	  loss of security.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>validate-except</strong></span> option specifies a list of
-	  domains beneath which DNSSEC validation should not be performed,
-	  regardless of whether a trust anchor has been configured above
-	  them. [GL #237]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new update policy rule types have been added
-	  <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
-	  which allow machines with Kerberos principals to update
-	  the name space at or below the machine names identified
-	  in the respective principals.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
-	  can be used to make BIND enable and enforce FIPS mode in the
-	  OpenSSL library.  When compiled with such option the BIND will
-	  refuse to run if FIPS mode can't be enabled, thus this option
-	  must be only enabled for the systems where FIPS mode is available.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
-	  <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
-	  administrator to override the minimum TTL in the received DNS records
-	  (positive caching) and for storing the information about non-existent
-	  records (negative caching).  The configured minimum TTL for both
-	  configuration options cannot exceed 90 seconds.
-	</p>
-      </li>
-<li class="listitem">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
         <p>
-          <span class="command"><strong>rndc status</strong></span> output now includes a
-          <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
-          configuration is being reloaded.
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
-	  <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
-	  returning a DNS COOKIE option to a client, even if such an
-	  option was present in the request.  This is only intended as
-	  a temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the same
-	  address is not expected to cause operational problems, but the
-	  option to disable COOKIE responses so that all servers have the
-	  same behavior is provided out of an abundance of caution.
-	  DNS COOKIE is an important security mechanism, and this option
-	  should not be used to disable it unless absolutely necessary.
+	  The <span class="command"><strong>allow-update</strong></span> and
+	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
+	  inadvertently treated as configuration errors when used at the
+	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+	  This has now been corrected.
+	  [GL #913]
 	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  Workarounds for servers that misbehave when queried with EDNS
-	  have been removed, because these broken servers and the
-	  workarounds for their noncompliance cause unnecessary delays,
-	  increase code complexity, and prevent deployment of new DNS
-	  features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
-	  for further details.
-	</p>
-	<p>
-	  In particular, resolution will no longer fall back to
-	  plain DNS when there was no response from an authoritative
-	  server.  This will cause some domains to become non-resolvable
-	  without manual intervention.  In these cases, resolution can
-	  be restored by adding <span class="command"><strong>server</strong></span> clauses for the
-	  offending servers, specifying <span class="command"><strong>edns no</strong></span> or
-	  <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
-	  noncompliance.
-	</p>
-	<p>
-	  To determine which <span class="command"><strong>server</strong></span> clause to use, run
-	  the following commands to send queries to the authoritative
-	  servers for the broken domain:
-	</p>
-<div class="literallayout"><p><br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec<br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie<br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +noedns<br>
-</p></div>
-	<p>
-	  If the first command fails but the second succeeds, the
-	  server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
-	  If the first two fail but the third succeeds, then the server
-	  needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
-	</p>
-	<p>
-	  Please contact the administrators of noncompliant domains
-	  and encourage them to upgrade their broken DNS servers. [GL #150]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Previously, it was possible to build BIND without thread support
-	  for old architectures and systems without threads support.
-	  BIND now requires threading support (either POSIX or Windows) from
-	  the operating system, and it cannot be built without threads.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>filter-aaaa</strong></span>,
-	  <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
-	  <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
-	  from <span class="command"><strong>named</strong></span>, and can no longer be
-	  configured using native <code class="filename">named.conf</code> syntax.
-	  However, loading the new <code class="filename">filter-aaaa.so</code>
-	  plugin and setting its parameters provides identical
-	  functionality.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
-	  option for view selection.  In its existing form, the authoritative
-	  ECS feature was not fully RFC-compliant, and could not realistically
-	  have been deployed in production for an authoritative server; its
-	  only practical use was for testing and experimentation. In the
-	  interest of code simplification, this feature has now been removed.
-	</p>
-	<p>
-	  The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
-	  <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
-	  and logged when received by <span class="command"><strong>named</strong></span>, but
-	  it is no longer used for ACL processing. The
-	  <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
-	  a warning will be logged if it is used in
-	  <code class="filename">named.conf</code>.
-	  <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
-	  also obsolete, and will cause the configuration to fail to
-	  load if they are used. [GL #32]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
-	  keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
-	  to generate these keys. [RT #46404]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for OpenSSL 0.9.x has been removed.  OpenSSL version
-	  1.0.0 or greater, or LibreSSL is now required.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
-	  which formerly turned on system-call filtering on Linux, has
-	  been removed. [GL #93]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  IPv4 addresses in forms other than dotted-quad are no longer
-	  accepted in master files. [GL #13] [GL #56]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The "rbtdb64" database implementation (a parallel
-	  implementation of "rbt") has been removed. [GL #217]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
-	  random device has been removed from the
-	  <span class="command"><strong>ddns-confgen</strong></span>,
-	  <span class="command"><strong>rndc-confgen</strong></span>,
-	  <span class="command"><strong>nsupdate</strong></span>,
-	  <span class="command"><strong>dnssec-confgen</strong></span>, and
-	  <span class="command"><strong>dnssec-signzone</strong></span> commands.
-	</p>
-	<p>
-	  The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
-	  has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
-	  command.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for the RSAMD5 algorithm has been removed freom BIND as
-	  the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
-	  in RFC6725, the security of the MD5 algorithm has been compromised,
-	  and its usage is considered harmful.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
-	  removed from BIND, as the algorithm has been superseded by
-	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
-	  deployments.  BIND will neither create new DNSSEC keys,
-	  signatures and digests, nor it will validate them.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for DSA and DSA-NSEC3-SHA1 algorithms has been
-	  removed from BIND as the DSA key length is limited to 1024
-	  bits and this is not considered secure enough.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
-	  when processing an IXFR stream.  This had previously been
-	  permitted for compatibility with BIND 8, but now "no-change"
-	  deltas will trigger a fallback to AXFR as the recovery mechanism.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND 9 will no longer build on platforms that don't have
-	  proper IPv6 support.  BIND 9 now also requires POSIX-compatible
-	  pthread support.  Most of the platforms that lack these featuers
-	  are long past their end-of-lifew dates, and they are neither
-	  developed nor supported by their respective vendors.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The incomplete support for internationalization message catalogs has
-	  been removed from BIND. Since the internationalization was never
-	  completed, and no localized message catalogs were ever made available
-	  for the portions of BIND in which they could have been used, this
-	  change will have no effect except to simplify the source code. BIND's
-	  log messages and other output were already only available in English.
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  BIND will now always use the best CSPRNG (cryptographically-secure
-	  pseudo-random number generator) available on the platform where
-	  it is compiled.  It will use the <span class="command"><strong>arc4random()</strong></span>
-	  family of functions on BSD operating systems,
-	  <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
-	  <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
-	  cryptography provider library (OpenSSL or PKCS#11) as the last
-	  resort. [GL #221]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
-	  now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
-	  validation using the IANA root key. (The default can be changed
-	  back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
-	  validation only when keys are explicitly configured in
-	  <code class="filename">named.conf</code>, by building BIND with
-	  <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND can no longer be built without DNSSEC support. A cryptography
-	  provider (i.e., OpenSSL or a hardware service module with
-	  PKCS#11 support) must be available. [GL #244]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone types <span class="command"><strong>primary</strong></span> and
-	  <span class="command"><strong>secondary</strong></span> are now available as synonyms for
-	  <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
-	  respectively, in <code class="filename">named.conf</code>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will now log a warning if the old
-	  root DNSSEC key is explicitly configured and has not been updated.
-	  [RT #43670]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
-	  that have timed out, in addition to those that respond. [GL #64]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
-	  supported by default; previously the limit was 32. [GL #123]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Several configuration options for time periods can now use
-	  TTL value suffixes (for example, <code class="literal">2h</code> or
-	  <code class="literal">1d</code>) in addition to an integer number of
-	  seconds. These include
-	  <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
-	  <span class="command"><strong>interface-interval</strong></span>,
-	  <span class="command"><strong>max-cache-ttl</strong></span>,
-	  <span class="command"><strong>max-ncache-ttl</strong></span>,
-	  <span class="command"><strong>max-policy-ttl</strong></span>, and
-	  <span class="command"><strong>min-update-interval</strong></span>.
-	  [GL #203]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
-	  option) now has its own <span class="command"><strong>nsid</strong></span> category,
-	  instead of using the <span class="command"><strong>resolver</strong></span> category.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
-	  between views of the same name but different class; this
-	  has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
-	  option. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>allow-recursion-on</strong></span> and
-	  <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
-	  the other if only one of them is set, in order to be consistent
-	  with the way <span class="command"><strong>allow-recursion</strong></span> and
-	  <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
-	  <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
-	  when the standard output is not a TTY (i.e., when the output
-	  is not being read by a human). When running from a shell
-	  script, the command line options <span class="command"><strong>+idnin</strong></span> and
-	  <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
-	  processing of input and output domain names, respectively.
-	  When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
-	  <span class="command"><strong>+noidnout</strong></span> options may be used to disable
-	  IDN processing of input and output domain names.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
-	  exceed seven days. Previously, larger values than this were silently
-	  lowered; now, they trigger a configuration error.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>dig -r</strong></span> command line option
-	  disables reading of the file <code class="filename">$HOME/.digrc</code>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone signing and key maintenance events are now logged to the
-	  <span class="command"><strong>dnssec</strong></span> category rather than
-	  <span class="command"><strong>zone</strong></span>.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
@@ -697,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch09.html

@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch10.html

@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch11.html

@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.ch12.html

@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/Bv9ARM.html

@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.14.0</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.1</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -242,16 +242,16 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_issues">Known Issues</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@@ -439,6 +439,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.arpaname.html

@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.ddns-confgen.html

@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.delv.html

@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dig.html

@@ -1151,6 +1151,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-cds.html

@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-checkds.html

@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-coverage.html

@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-dsfromkey.html

@@ -352,6 +352,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-importkey.html

@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keyfromlabel.html

@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keygen.html

@@ -480,10 +480,12 @@
       key.
     </p>
     <p>
-      The <code class="filename">.key</code> file contains a DNS KEY record
-      that
-      can be inserted into a zone file (directly or with a $INCLUDE
-      statement).
+      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
+      When a zone is being signed by <span class="command"><strong>named</strong></span>
+      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
+      records are included automatically. In other cases,
+      the <code class="filename">.key</code> file can be inserted into a zone file
+      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
     </p>
     <p>
       The <code class="filename">.private</code> file contains
@@ -491,11 +493,6 @@
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
-    <p>
-      Both <code class="filename">.key</code> and <code class="filename">.private</code>
-      files are generated for symmetric cryptography algorithms such as
-      HMAC-MD5, even though the public and private key are equivalent.
-    </p>
   </div>
 
   <div class="refsection">
@@ -560,6 +557,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-keymgr.html

@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-revoke.html

@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-settime.html

@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-signzone.html

@@ -701,6 +701,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnssec-verify.html

@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.dnstap-read.html

@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.filter-aaaa.html

@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.host.html

@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.mdig.html

@@ -604,6 +604,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-checkconf.html

@@ -208,6 +208,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-checkzone.html

@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-journalprint.html

@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-nzd2nzf.html

@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named-rrchecker.html

@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named.conf.html

@@ -1073,6 +1073,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.named.html

@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nsec3hash.html

@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nslookup.html

@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.nsupdate.html

@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-destroy.html

@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-keygen.html

@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-list.html

@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.pkcs11-tokens.html

@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc-confgen.html

@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc.conf.html

@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/man.rndc.html

@@ -1024,6 +1024,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
 </body>
 </html>

doc/arm/notes.html

@@ -15,16 +15,15 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.14.0</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.14.0 is the first release of a new stable branch of BIND.
-      This document summarizes new features and functional changes
-      that have been introduced, as well as features that have been
-      deprecated or removed, since the last stable branch, 9.12.
+      BIND 9.14 is a stable branch of BIND.
+      This document summarizes significant changes since the last
+      production release on that branch.
     </p>
 <p>
     </p>
@@ -97,498 +96,62 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_issues"></a>Known Issues</h3></div></div></div>
+<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+        <p>
+	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
+	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+	  was in use and a redirected query resulted in an NXDOMAIN from the
+	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+	  option could be exceeded in some cases. This could lead to
+	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	</p>
+      </li>
+</ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  A recent change in the <code class="filename">named.conf</code> parser
-	  resulted in <span class="command"><strong>allow-update</strong></span> being treated as a
-	  configuration error when set at the <span class="command"><strong>options</strong></span> or
-	  <span class="command"><strong>view</strong></span> level. This is not a secure configuration
-	  and the use of the option in this manner is ill-advised. However,
-	  in this release it should have been treated as a warning rather
-	  than a fatal error. This flaw was discovered too late to be
-	  fixed in 9.14.0, but it will be corrected in the 9.14.1
-	  maintenance release: global <span class="command"><strong>allow-update</strong></span> will
-	  again be permitted, but a warning will be logged.
+	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+	  should be included in the additional section of RPZ responses.
+	  [GL #865]
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+	<p>
+	  None.
 	</p>
       </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  Task manager and socket code have been substantially modified.
-	  The manager uses per-cpu queues for tasks and network stack runs
-	  multiple event loops in CPU-affinitive threads. This greatly
-	  improves performance on large systems, especially when using
-	  multi-queue NICs.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for QNAME minimization was added and enabled by default
-	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
-	  to normal resolution if the remote server returns something
-	  unexpected during the query minimization process. This default
-	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new <span class="command"><strong>plugin</strong></span> mechanism has been added to allow
-	  extension of query processing functionality through the use of
-	  external libraries. The new <code class="filename">filter-aaaa.so</code>
-	  plugin replaces the <span class="command"><strong>filter-aaaa</strong></span> feature that
-	  was formerly implemented as a native part of BIND.
-	</p>
-	<p>
-	  The plugin API is a work in progress and is likely to evolve
-	  as further plugins are implemented. [GL #15]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
-	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
-	  of a zone's contents without acting as an authority for the
-	  zone. A zone must be fully validated against an active trust
-	  anchor before it can be used as a mirror zone. DNS responses
-	  from mirror zones do not set the AA bit ("authoritative answer"),
-	  but do set the AD bit ("authenticated data"). This feature is
-	  meant to facilitate deployment of a local copy of the root zone,
-	  as described in RFC 7706. [GL #33]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
-	  library to add IDNA2008 support.  Previously, BIND supported
-	  IDNA2003 using the (now obsolete and unsupported)
-	  <span class="command"><strong>idnkit-1</strong></span> library.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #37]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnskey-sig-validity</strong></span> option allows the
-	  <span class="command"><strong>sig-validity-interval</strong></span> to be overriden for
-	  signatures covering DNSKEY RRsets. [GL #145]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
-	  library to set process privileges.  The adds a new compile-time
-	  dependency, which can be met on most Linux platforms by installing the
-	  <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
-	  package. BIND can also be built without capability support by using
-	  <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
-	  loss of security.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>validate-except</strong></span> option specifies a list of
-	  domains beneath which DNSSEC validation should not be performed,
-	  regardless of whether a trust anchor has been configured above
-	  them. [GL #237]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new update policy rule types have been added
-	  <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
-	  which allow machines with Kerberos principals to update
-	  the name space at or below the machine names identified
-	  in the respective principals.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
-	  can be used to make BIND enable and enforce FIPS mode in the
-	  OpenSSL library.  When compiled with such option the BIND will
-	  refuse to run if FIPS mode can't be enabled, thus this option
-	  must be only enabled for the systems where FIPS mode is available.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new configuration options <span class="command"><strong>min-cache-ttl</strong></span> and
-	  <span class="command"><strong>min-ncache-ttl</strong></span> has been added to allow the BIND 9
-	  administrator to override the minimum TTL in the received DNS records
-	  (positive caching) and for storing the information about non-existent
-	  records (negative caching).  The configured minimum TTL for both
-	  configuration options cannot exceed 90 seconds.
-	</p>
-      </li>
-<li class="listitem">
+<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
         <p>
-          <span class="command"><strong>rndc status</strong></span> output now includes a
-          <span class="command"><strong>reconfig/reload in progress</strong></span> status line if named
-          configuration is being reloaded.
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
-	  <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
-	  returning a DNS COOKIE option to a client, even if such an
-	  option was present in the request.  This is only intended as
-	  a temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the same
-	  address is not expected to cause operational problems, but the
-	  option to disable COOKIE responses so that all servers have the
-	  same behavior is provided out of an abundance of caution.
-	  DNS COOKIE is an important security mechanism, and this option
-	  should not be used to disable it unless absolutely necessary.
+	  The <span class="command"><strong>allow-update</strong></span> and
+	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
+	  inadvertently treated as configuration errors when used at the
+	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+	  This has now been corrected.
+	  [GL #913]
 	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  Workarounds for servers that misbehave when queried with EDNS
-	  have been removed, because these broken servers and the
-	  workarounds for their noncompliance cause unnecessary delays,
-	  increase code complexity, and prevent deployment of new DNS
-	  features. See <a class="link" href="https://dnsflagday.net" target="_top">https://dnsflagday.net</a>
-	  for further details.
-	</p>
-	<p>
-	  In particular, resolution will no longer fall back to
-	  plain DNS when there was no response from an authoritative
-	  server.  This will cause some domains to become non-resolvable
-	  without manual intervention.  In these cases, resolution can
-	  be restored by adding <span class="command"><strong>server</strong></span> clauses for the
-	  offending servers, specifying <span class="command"><strong>edns no</strong></span> or
-	  <span class="command"><strong>send-cookie no</strong></span>, depending on the specific
-	  noncompliance.
-	</p>
-	<p>
-	  To determine which <span class="command"><strong>server</strong></span> clause to use, run
-	  the following commands to send queries to the authoritative
-	  servers for the broken domain:
-	</p>
-<div class="literallayout"><p><br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec<br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +dnssec +nocookie<br>
-	  dig soa &lt;zone&gt; @&lt;server&gt; +noedns<br>
-</p></div>
-	<p>
-	  If the first command fails but the second succeeds, the
-	  server most likely needs <span class="command"><strong>send-cookie no</strong></span>.
-	  If the first two fail but the third succeeds, then the server
-	  needs EDNS to be fully disabled with <span class="command"><strong>edns no</strong></span>.
-	</p>
-	<p>
-	  Please contact the administrators of noncompliant domains
-	  and encourage them to upgrade their broken DNS servers. [GL #150]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Previously, it was possible to build BIND without thread support
-	  for old architectures and systems without threads support.
-	  BIND now requires threading support (either POSIX or Windows) from
-	  the operating system, and it cannot be built without threads.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>filter-aaaa</strong></span>,
-	  <span class="command"><strong>filter-aaaa-on-v4</strong></span>, and
-	  <span class="command"><strong>filter-aaaa-on-v6</strong></span> options have been removed
-	  from <span class="command"><strong>named</strong></span>, and can no longer be
-	  configured using native <code class="filename">named.conf</code> syntax.
-	  However, loading the new <code class="filename">filter-aaaa.so</code>
-	  plugin and setting its parameters provides identical
-	  functionality.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> can no longer use the EDNS CLIENT-SUBNET
-	  option for view selection.  In its existing form, the authoritative
-	  ECS feature was not fully RFC-compliant, and could not realistically
-	  have been deployed in production for an authoritative server; its
-	  only practical use was for testing and experimentation. In the
-	  interest of code simplification, this feature has now been removed.
-	</p>
-	<p>
-	  The ECS option is still supported in <span class="command"><strong>dig</strong></span> and
-	  <span class="command"><strong>mdig</strong></span> via the +subnet argument, and can be parsed
-	  and logged when received by <span class="command"><strong>named</strong></span>, but
-	  it is no longer used for ACL processing. The
-	  <span class="command"><strong>geoip-use-ecs</strong></span> option is now obsolete;
-	  a warning will be logged if it is used in
-	  <code class="filename">named.conf</code>.
-	  <span class="command"><strong>ecs</strong></span> tags in an ACL definition are
-	  also obsolete, and will cause the configuration to fail to
-	  load if they are used. [GL #32]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dnssec-keygen</strong></span> can no longer generate HMAC
-	  keys for TSIG authentication. Use <span class="command"><strong>tsig-keygen</strong></span>
-	  to generate these keys. [RT #46404]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for OpenSSL 0.9.x has been removed.  OpenSSL version
-	  1.0.0 or greater, or LibreSSL is now required.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>configure --enable-seccomp</strong></span> option,
-	  which formerly turned on system-call filtering on Linux, has
-	  been removed. [GL #93]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  IPv4 addresses in forms other than dotted-quad are no longer
-	  accepted in master files. [GL #13] [GL #56]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The "rbtdb64" database implementation (a parallel
-	  implementation of "rbt") has been removed. [GL #217]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>-r randomdev</strong></span> option to explicitly select
-	  random device has been removed from the
-	  <span class="command"><strong>ddns-confgen</strong></span>,
-	  <span class="command"><strong>rndc-confgen</strong></span>,
-	  <span class="command"><strong>nsupdate</strong></span>,
-	  <span class="command"><strong>dnssec-confgen</strong></span>, and
-	  <span class="command"><strong>dnssec-signzone</strong></span> commands.
-	</p>
-	<p>
-	  The <span class="command"><strong>-p</strong></span> option to use pseudo-random data
-	  has been removed from the <span class="command"><strong>dnssec-signzone</strong></span>
-	  command.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for the RSAMD5 algorithm has been removed freom BIND as
-	  the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
-	  in RFC6725, the security of the MD5 algorithm has been compromised,
-	  and its usage is considered harmful.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
-	  removed from BIND, as the algorithm has been superseded by
-	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
-	  deployments.  BIND will neither create new DNSSEC keys,
-	  signatures and digests, nor it will validate them.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Support for DSA and DSA-NSEC3-SHA1 algorithms has been
-	  removed from BIND as the DSA key length is limited to 1024
-	  bits and this is not considered secure enough.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
-	  when processing an IXFR stream.  This had previously been
-	  permitted for compatibility with BIND 8, but now "no-change"
-	  deltas will trigger a fallback to AXFR as the recovery mechanism.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND 9 will no longer build on platforms that don't have
-	  proper IPv6 support.  BIND 9 now also requires POSIX-compatible
-	  pthread support.  Most of the platforms that lack these featuers
-	  are long past their end-of-lifew dates, and they are neither
-	  developed nor supported by their respective vendors.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The incomplete support for internationalization message catalogs has
-	  been removed from BIND. Since the internationalization was never
-	  completed, and no localized message catalogs were ever made available
-	  for the portions of BIND in which they could have been used, this
-	  change will have no effect except to simplify the source code. BIND's
-	  log messages and other output were already only available in English.
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  BIND will now always use the best CSPRNG (cryptographically-secure
-	  pseudo-random number generator) available on the platform where
-	  it is compiled.  It will use the <span class="command"><strong>arc4random()</strong></span>
-	  family of functions on BSD operating systems,
-	  <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
-	  <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
-	  cryptography provider library (OpenSSL or PKCS#11) as the last
-	  resort. [GL #221]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The default setting for <span class="command"><strong>dnssec-validation</strong></span> is
-	  now <strong class="userinput"><code>auto</code></strong>, which activates DNSSEC
-	  validation using the IANA root key. (The default can be changed
-	  back to <strong class="userinput"><code>yes</code></strong>, which activates DNSSEC
-	  validation only when keys are explicitly configured in
-	  <code class="filename">named.conf</code>, by building BIND with
-	  <span class="command"><strong>configure --disable-auto-validation</strong></span>.) [GL #30]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  BIND can no longer be built without DNSSEC support. A cryptography
-	  provider (i.e., OpenSSL or a hardware service module with
-	  PKCS#11 support) must be available. [GL #244]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone types <span class="command"><strong>primary</strong></span> and
-	  <span class="command"><strong>secondary</strong></span> are now available as synonyms for
-	  <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span>,
-	  respectively, in <code class="filename">named.conf</code>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> will now log a warning if the old
-	  root DNSSEC key is explicitly configured and has not been updated.
-	  [RT #43670]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +nssearch</strong></span> will now list name servers
-	  that have timed out, in addition to those that respond. [GL #64]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Up to 64 <span class="command"><strong>response-policy</strong></span> zones are now
-	  supported by default; previously the limit was 32. [GL #123]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Several configuration options for time periods can now use
-	  TTL value suffixes (for example, <code class="literal">2h</code> or
-	  <code class="literal">1d</code>) in addition to an integer number of
-	  seconds. These include
-	  <span class="command"><strong>fstrm-set-reopen-interval</strong></span>,
-	  <span class="command"><strong>interface-interval</strong></span>,
-	  <span class="command"><strong>max-cache-ttl</strong></span>,
-	  <span class="command"><strong>max-ncache-ttl</strong></span>,
-	  <span class="command"><strong>max-policy-ttl</strong></span>, and
-	  <span class="command"><strong>min-update-interval</strong></span>.
-	  [GL #203]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  NSID logging (enabled by the <span class="command"><strong>request-nsid</strong></span>
-	  option) now has its own <span class="command"><strong>nsid</strong></span> category,
-	  instead of using the <span class="command"><strong>resolver</strong></span> category.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
-	  between views of the same name but different class; this
-	  has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
-	  option. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>allow-recursion-on</strong></span> and
-	  <span class="command"><strong>allow-query-cache-on</strong></span> each now default to
-	  the other if only one of them is set, in order to be consistent
-	  with the way <span class="command"><strong>allow-recursion</strong></span> and
-	  <span class="command"><strong>allow-query-cache</strong></span> work. [GL #319]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and
-	  <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing
-	  when the standard output is not a TTY (i.e., when the output
-	  is not being read by a human). When running from a shell
-	  script, the command line options <span class="command"><strong>+idnin</strong></span> and
-	  <span class="command"><strong>+idnout</strong></span> may be used to enable IDN
-	  processing of input and output domain names, respectively.
-	  When running on a TTY, the <span class="command"><strong>+noidnin</strong></span> and
-	  <span class="command"><strong>+noidnout</strong></span> options may be used to disable
-	  IDN processing of input and output domain names.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The configuration option <span class="command"><strong>max-ncache-ttl</strong></span> cannot
-	  exceed seven days. Previously, larger values than this were silently
-	  lowered; now, they trigger a configuration error.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>dig -r</strong></span> command line option
-	  disables reading of the file <code class="filename">$HOME/.digrc</code>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone signing and key maintenance events are now logged to the
-	  <span class="command"><strong>dnssec</strong></span> category rather than
-	  <span class="command"><strong>zone</strong></span>.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">

doc/arm/notes.txt

@@ -1,11 +1,9 @@
-Release Notes for BIND Version 9.14.0
+Release Notes for BIND Version 9.14.1
 
 Introduction
 
-BIND 9.14.0 is the first release of a new stable branch of BIND. This
-document summarizes new features and functional changes that have been
-introduced, as well as features that have been deprecated or removed,
-since the last stable branch, 9.12.
+BIND 9.14 is a stable branch of BIND. This document summarizes significant
+changes since the last production release on that branch.
 
 Please see the file CHANGES for a more detailed list of changes and bug
 fixes.
@@ -52,281 +50,32 @@ www.isc.org/downloads/. There you will find additional information about
 each release, source code, and pre-compiled versions for Microsoft Windows
 operating systems.
 
-Known Issues
+Security Fixes
 
-  * A recent change in the named.conf parser resulted in allow-update
-    being treated as a configuration error when set at the options or view
-    level. This is not a secure configuration and the use of the option in
-    this manner is ill-advised. However, in this release it should have
-    been treated as a warning rather than a fatal error. This flaw was
-    discovered too late to be fixed in 9.14.0, but it will be corrected in
-    the 9.14.1 maintenance release: global allow-update will again be
-    permitted, but a warning will be logged.
+  * In certain configurations, named could crash with an assertion failure
+    if nxdomain-redirect was in use and a redirected query resulted in an
+    NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+    #880]
+
+  * The TCP client quota set using the tcp-clients option could be
+    exceeded in some cases. This could lead to exhaustion of file
+    descriptors. (CVE-2018-5743) [GL #615]
 
 New Features
 
-  * Task manager and socket code have been substantially modified. The
-    manager uses per-cpu queues for tasks and network stack runs multiple
-    event loops in CPU-affinitive threads. This greatly improves
-    performance on large systems, especially when using multi-queue NICs.
-
-  * Support for QNAME minimization was added and enabled by default in
-    relaxed mode, in which BIND will fall back to normal resolution if the
-    remote server returns something unexpected during the query
-    minimization process. This default setting might change to strict in
-    the future.
-
-  * A new plugin mechanism has been added to allow extension of query
-    processing functionality through the use of external libraries. The
-    new filter-aaaa.so plugin replaces the filter-aaaa feature that was
-    formerly implemented as a native part of BIND.
-
-    The plugin API is a work in progress and is likely to evolve as
-    further plugins are implemented. [GL #15]
-
-  * A new secondary zone option, mirror, enables named to serve a
-    transferred copy of a zone's contents without acting as an authority
-    for the zone. A zone must be fully validated against an active trust
-    anchor before it can be used as a mirror zone. DNS responses from
-    mirror zones do not set the AA bit ("authoritative answer"), but do
-    set the AD bit ("authenticated data"). This feature is meant to
-    facilitate deployment of a local copy of the root zone, as described
-    in RFC 7706. [GL #33]
-
-  * BIND now can be compiled against the libidn2 library to add IDNA2008
-    support. Previously, BIND supported IDNA2003 using the (now obsolete
-    and unsupported) idnkit-1 library.
-
-  * named now supports the "root key sentinel" mechanism. This enables
-    validating resolvers to indicate which trust anchors are configured
-    for the root, so that information about root key rollover status can
-    be gathered. To disable this feature, add root-key-sentinel no; to
-    named.conf. [GL #37]
-
-  * The dnskey-sig-validity option allows the sig-validity-interval to be
-    overriden for signatures covering DNSKEY RRsets. [GL #145]
-
-  * When built on Linux, BIND now requires the libcap library to set
-    process privileges. The adds a new compile-time dependency, which can
-    be met on most Linux platforms by installing the libcap-dev or
-    libcap-devel package. BIND can also be built without capability
-    support by using configure --disable-linux-caps, at the cost of some
-    loss of security.
-
-  * The validate-except option specifies a list of domains beneath which
-    DNSSEC validation should not be performed, regardless of whether a
-    trust anchor has been configured above them. [GL #237]
-
-  * Two new update policy rule types have been added krb5-selfsub and
-    ms-selfsub which allow machines with Kerberos principals to update the
-    name space at or below the machine names identified in the respective
-    principals.
-
-  * The new configure option --enable-fips-mode can be used to make BIND
-    enable and enforce FIPS mode in the OpenSSL library. When compiled
-    with such option the BIND will refuse to run if FIPS mode can't be
-    enabled, thus this option must be only enabled for the systems where
-    FIPS mode is available.
-
-  * Two new configuration options min-cache-ttl and min-ncache-ttl has
-    been added to allow the BIND 9 administrator to override the minimum
-    TTL in the received DNS records (positive caching) and for storing the
-    information about non-existent records (negative caching). The
-    configured minimum TTL for both configuration options cannot exceed 90
-    seconds.
-
-  * rndc status output now includes a reconfig/reload in progress status
-    line if named configuration is being reloaded.
-
-  * The new answer-cookie option, if set to no, prevents named from
-    returning a DNS COOKIE option to a client, even if such an option was
-    present in the request. This is only intended as a temporary measure,
-    for use when named shares an IP address with other servers that do not
-    yet support DNS COOKIE. A mismatch between servers on the same address
-    is not expected to cause operational problems, but the option to
-    disable COOKIE responses so that all servers have the same behavior is
-    provided out of an abundance of caution. DNS COOKIE is an important
-    security mechanism, and this option should not be used to disable it
-    unless absolutely necessary.
-
-Removed Features
-
-  * Workarounds for servers that misbehave when queried with EDNS have
-    been removed, because these broken servers and the workarounds for
-    their noncompliance cause unnecessary delays, increase code
-    complexity, and prevent deployment of new DNS features. See https://
-    dnsflagday.net for further details.
-
-    In particular, resolution will no longer fall back to plain DNS when
-    there was no response from an authoritative server. This will cause
-    some domains to become non-resolvable without manual intervention. In
-    these cases, resolution can be restored by adding server clauses for
-    the offending servers, specifying edns no or send-cookie no, depending
-    on the specific noncompliance.
-
-    To determine which server clause to use, run the following commands to
-    send queries to the authoritative servers for the broken domain:
-
-
-      dig soa <zone> @<server> +dnssec
-      dig soa <zone> @<server> +dnssec +nocookie
-      dig soa <zone> @<server> +noedns
-
-    If the first command fails but the second succeeds, the server most
-    likely needs send-cookie no. If the first two fail but the third
-    succeeds, then the server needs EDNS to be fully disabled with edns no
-    .
-
-    Please contact the administrators of noncompliant domains and
-    encourage them to upgrade their broken DNS servers. [GL #150]
-
-  * Previously, it was possible to build BIND without thread support for
-    old architectures and systems without threads support. BIND now
-    requires threading support (either POSIX or Windows) from the
-    operating system, and it cannot be built without threads.
-
-  * The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options have
-    been removed from named, and can no longer be configured using native
-    named.conf syntax. However, loading the new filter-aaaa.so plugin and
-    setting its parameters provides identical functionality.
-
-  * named can no longer use the EDNS CLIENT-SUBNET option for view
-    selection. In its existing form, the authoritative ECS feature was not
-    fully RFC-compliant, and could not realistically have been deployed in
-    production for an authoritative server; its only practical use was for
-    testing and experimentation. In the interest of code simplification,
-    this feature has now been removed.
-
-    The ECS option is still supported in dig and mdig via the +subnet
-    argument, and can be parsed and logged when received by named, but it
-    is no longer used for ACL processing. The geoip-use-ecs option is now
-    obsolete; a warning will be logged if it is used in named.conf. ecs
-    tags in an ACL definition are also obsolete, and will cause the
-    configuration to fail to load if they are used. [GL #32]
-
-  * dnssec-keygen can no longer generate HMAC keys for TSIG
-    authentication. Use tsig-keygen to generate these keys. [RT #46404]
-
-  * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0 or
-    greater, or LibreSSL is now required.
-
-  * The configure --enable-seccomp option, which formerly turned on
-    system-call filtering on Linux, has been removed. [GL #93]
-
-  * IPv4 addresses in forms other than dotted-quad are no longer accepted
-    in master files. [GL #13] [GL #56]
-
-  * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
-
-  * The "rbtdb64" database implementation (a parallel implementation of
-    "rbt") has been removed. [GL #217]
-
-  * The -r randomdev option to explicitly select random device has been
-    removed from the ddns-confgen, rndc-confgen, nsupdate, dnssec-confgen,
-    and dnssec-signzone commands.
-
-    The -p option to use pseudo-random data has been removed from the
-    dnssec-signzone command.
-
-  * Support for the RSAMD5 algorithm has been removed freom BIND as the
-    usage of the RSAMD5 algorithm for DNSSEC has been deprecated in
-    RFC6725, the security of the MD5 algorithm has been compromised, and
-    its usage is considered harmful.
-
-  * Support for the ECC-GOST (GOST R 34.11-94) algorithm has been removed
-    from BIND, as the algorithm has been superseded by GOST R 34.11-2012
-    in RFC6986 and it must not be used in new deployments. BIND will
-    neither create new DNSSEC keys, signatures and digests, nor it will
-    validate them.
-
-  * Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
-    BIND as the DSA key length is limited to 1024 bits and this is not
-    considered secure enough.
-
-  * named will no longer ignore "no-change" deltas when processing an IXFR
-    stream. This had previously been permitted for compatibility with BIND
-    8, but now "no-change" deltas will trigger a fallback to AXFR as the
-    recovery mechanism.
-
-  * BIND 9 will no longer build on platforms that don't have proper IPv6
-    support. BIND 9 now also requires POSIX-compatible pthread support.
-    Most of the platforms that lack these featuers are long past their
-    end-of-lifew dates, and they are neither developed nor supported by
-    their respective vendors.
-
-  * The incomplete support for internationalization message catalogs has
-    been removed from BIND. Since the internationalization was never
-    completed, and no localized message catalogs were ever made available
-    for the portions of BIND in which they could have been used, this
-    change will have no effect except to simplify the source code. BIND's
-    log messages and other output were already only available in English.
+  * The new add-soa option specifies whether or not the response-policy
+    zone's SOA record should be included in the additional section of RPZ
+    responses. [GL #865]
 
 Feature Changes
 
-  * BIND will now always use the best CSPRNG (cryptographically-secure
-    pseudo-random number generator) available on the platform where it is
-    compiled. It will use the arc4random() family of functions on BSD
-    operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
-    Windows, and the selected cryptography provider library (OpenSSL or
-    PKCS#11) as the last resort. [GL #221]
+  * None.
 
-  * The default setting for dnssec-validation is now auto, which activates
-    DNSSEC validation using the IANA root key. (The default can be changed
-    back to yes, which activates DNSSEC validation only when keys are
-    explicitly configured in named.conf, by building BIND with configure
-    --disable-auto-validation.) [GL #30]
+Bug Fixes
 
-  * BIND can no longer be built without DNSSEC support. A cryptography
-    provider (i.e., OpenSSL or a hardware service module with PKCS#11
-    support) must be available. [GL #244]
-
-  * Zone types primary and secondary are now available as synonyms for
-    master and slave, respectively, in named.conf.
-
-  * named will now log a warning if the old root DNSSEC key is explicitly
-    configured and has not been updated. [RT #43670]
-
-  * dig +nssearch will now list name servers that have timed out, in
-    addition to those that respond. [GL #64]
-
-  * Up to 64 response-policy zones are now supported by default;
-    previously the limit was 32. [GL #123]
-
-  * Several configuration options for time periods can now use TTL value
-    suffixes (for example, 2h or 1d) in addition to an integer number of
-    seconds. These include fstrm-set-reopen-interval, interface-interval,
-    max-cache-ttl, max-ncache-ttl, max-policy-ttl, and min-update-interval
-    . [GL #203]
-
-  * NSID logging (enabled by the request-nsid option) now has its own nsid
-    category, instead of using the resolver category.
-
-  * The rndc nta command could not differentiate between views of the same
-    name but different class; this has been corrected with the addition of
-    a -class option. [GL #105]
-
-  * allow-recursion-on and allow-query-cache-on each now default to the
-    other if only one of them is set, in order to be consistent with the
-    way allow-recursion and allow-query-cache work. [GL #319]
-
-  * When compiled with IDN support, the dig and nslookup commands now
-    disable IDN processing when the standard output is not a TTY (i.e.,
-    when the output is not being read by a human). When running from a
-    shell script, the command line options +idnin and +idnout may be used
-    to enable IDN processing of input and output domain names,
-    respectively. When running on a TTY, the +noidnin and +noidnout
-    options may be used to disable IDN processing of input and output
-    domain names.
-
-  * The configuration option max-ncache-ttl cannot exceed seven days.
-    Previously, larger values than this were silently lowered; now, they
-    trigger a configuration error.
-
-  * The new dig -r command line option disables reading of the file $HOME
-    /.digrc.
-
-  * Zone signing and key maintenance events are now logged to the dnssec
-    category rather than zone.
+  * The allow-update and allow-update-forwarding options were
+    inadvertently treated as configuration errors when used at the options
+    or view level. This has now been corrected. [GL #913]
 
 License
 

doc/misc/options

@@ -186,7 +186,7 @@ options {
         fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
         fstrm-set-output-queue-size <integer>; // not configured
         fstrm-set-reopen-interval <ttlval>; // not configured
-        geoip-directory ( <quoted_string> | none );
+        geoip-directory ( <quoted_string> | none ); // not configured
         geoip-use-ecs <boolean>; // obsolete
         glue-cache <boolean>;
         has-old-clients <boolean>; // ancient
@@ -207,7 +207,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // ancient
         managed-keys-directory <quoted_string>;
@@ -553,7 +553,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         maintain-ixfr-base <boolean>; // ancient
         managed-keys { <string> <string>
             <integer> <integer> <integer>