"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.12.3-P1/doc/arm/notes.txt" (7 Dec 2018, 6011 Bytes) of package /linux/misc/dns/bind9/9.12.3-P1/bind-9.12.3-P1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "notes.txt": 9.12.3_vs_9.12.3-P1.

    1 Release Notes for BIND Version 9.12.3-P1
    2 
    3 Introduction
    4 
    5 This document summarizes changes since the last production release on the
    6 BIND 9.12 branch. Please see the CHANGES for a further list of bug fixes
    7 and other changes.
    8 
    9 Download
   10 
   11 The latest versions of BIND 9 software can always be found at http://
   12 www.isc.org/downloads/. There you will find additional information about
   13 each release, source code, and pre-compiled versions for Microsoft Windows
   14 operating systems.
   15 
   16 Security Fixes
   17 
   18   * named could crash during recursive processing of DNAME records when
   19     deny-answer-aliases was in use. This flaw is disclosed in
   20     CVE-2018-5740. [GL #387]
   21 
   22   * When recursion is enabled but the allow-recursion and
   23     allow-query-cache ACLs are not specified, they should be limited to
   24     local networks, but they were inadvertently set to match the default
   25     allow-query, thus allowing remote queries. This flaw is disclosed in
   26     CVE-2018-5738. [GL #309]
   27 
   28   * The serve-stale feature could cause an assertion failure in rbtdb.c
   29     even when stale-answer-enable was false. The simultaneous use of stale
   30     cache records and NSEC aggressive negative caching could trigger a
   31     recursion loop in the named process. This flaw is disclosed in
   32     CVE-2018-5737. [GL #185]
   33 
   34   * A bug in zone database reference counting could lead to a crash when
   35     multiple versions of a slave zone were transferred from a master in
   36     close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]
   37 
   38   * Code change #4964, intended to prevent double signatures when deleting
   39     an inactive zone DNSKEY in some situations, introduced a new problem
   40     during zone processing in which some delegation glue RRsets are
   41     incorrectly identified as needing RRSIGs, which are then created for
   42     them using the current active ZSK for the zone. In some, but not all
   43     cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
   44     chain, but incompletely -- this can result in a broken chain,
   45     affecting validation of proof of nonexistence for records in the zone.
   46     [GL #771]
   47 
   48 New Features
   49 
   50   * update-policy rules that otherwise ignore the name field now require
   51     that it be set to "." to ensure that any type list present is properly
   52     interpreted. Previously, if the name field was omitted from the rule
   53     declaration but a type list was present, it wouldn't be interpreted as
   54     expected.
   55 
   56   * named now supports the "root key sentinel" mechanism. This enables
   57     validating resolvers to indicate which trust anchors are configured
   58     for the root, so that information about root key rollover status can
   59     be gathered. To disable this feature, add root-key-sentinel no; to
   60     named.conf. [GL #37]
   61 
   62   * Add the ability to not return a DNS COOKIE option when one is present
   63     in the request. To prevent a cookie being returned add answer-cookie
   64     no; to named.conf. [GL #173]
   65 
   66     answer-cookie no is only intended as a temporary measure, for use when
   67     named shares an IP address with other servers that do not yet support
   68     DNS COOKIE. A mismatch between servers on the same address is not
   69     expected to cause operational problems, but the option to disable
   70     COOKIE responses so that all servers have the same behavior is
   71     provided out of an abundance of caution. DNS COOKIE is an important
   72     security mechanism, and should not be disabled unless absolutely
   73     necessary.
   74 
   75   * Two new update policy rule types have been added krb5-selfsub and
   76     ms-selfsub which allow machines with Kerberos principals to update the
   77     name space at or below the machine names identified in the respective
   78     principals.
   79 
   80 Feature Changes
   81 
   82   * BIND now can be compiled against libidn2 library to add IDNA2008
   83     support. Previously BIND only supported IDNA2003 using (now obsolete)
   84     idnkit-1 library.
   85 
   86   * dig +noidnin can be used to disable IDN processing on the input domain
   87     name, when BIND is compiled with IDN support.
   88 
   89   * The rndc nta command could not differentiate between views of the same
   90     name but different class; this has been corrected with the addition of
   91     a -class option. [GL #105]
   92 
   93 Bug Fixes
   94 
   95   * When a negative trust anchor was added to multiple views using rndc
   96     nta, the text returned via rndc was incorrectly truncated after the
   97     first line, making it appear that only one NTA had been added. This
   98     has been fixed. [GL #105]
   99 
  100   * named now rejects excessively large incremental (IXFR) zone transfers
  101     in order to prevent possible corruption of journal files which could
  102     cause named to abort when loading zones. [GL #339]
  103 
  104 License
  105 
  106 BIND is open source software licenced under the terms of the Mozilla
  107 Public License, version 2.0 (see the LICENSE file for the full text).
  108 
  109 The license requires that if you make changes to BIND and distribute them
  110 outside your organization, those changes must be published under the same
  111 license. It does not require that you publish or disclose anything other
  112 than the changes you have made to our software. This requirement does not
  113 affect anyone who is using BIND, with or without modifications, without
  114 redistributing it, nor anyone redistributing BIND without changes.
  115 
  116 Those wishing to discuss license compliance may contact ISC at https://
  117 www.isc.org/mission/contact/.
  118 
  119 End of Life
  120 
  121 The end-of-life date for BIND 9.12 has not yet been determined. However,
  122 it is not intended to be an Extended Support Version (ESV) branch;
  123 accordingly, support will end after the next stable branch (9.14) becomes
  124 available. Those needing a longer-lived branch are encouraged to use the
  125 current ESV, BIND 9.11, which will be supported until December 2021. See
  126 https://www.isc.org/downloads/software-support-policy/ for details of
  127 ISC's software support policy.
  128 
  129 Thank You
  130 
  131 Thank you to everyone who assisted us in making this release possible. If
  132 you would like to contribute to ISC to assist us in continuing to make
  133 quality open source software, please visit our donations page at http://
  134 www.isc.org/donate/.