Release Notes for BIND Version 9.12.0a1
Introduction
BIND 9.12.0 is a new feature release of BIND, still under development.
This document summarizes new features and functional changes that have
been introduced on this branch. With each development release leading
up to the final BIND 9.12.0 release, this document will be updated with
additional features added and bugs fixed.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
License Change
With the release of BIND 9.11.0, ISC changed to the open source license
for BIND from the ISC license to the Mozilla Public License (MPL 2.0).
The MPL-2.0 license requires that if you make changes to licensed
software (e.g. BIND) and distribute them outside your organization,
that you publish those changes under that same license. It does not
require that you publish or disclose anything other than the changes
you made to our software.
This requirement will not affect anyone who is using BIND without
redistributing it, nor anyone redistributing it without changes,
therefore this change will be without consequence for most individuals
and organizations who are using BIND.
Those unsure whether or not the license change affects their use of
BIND, or who wish to discuss how to comply with the license may contact
ISC at https://www.isc.org/mission/contact/.
Windows XP No Longer Supported
As of BIND 9.11.2, Windows XP is no longer a supported platform for
BIND, and Windows XP binaries are no longer available for download from
ISC.
Security Fixes
* None.
New Features
* Many aspects of named have been modified to improve query
performance, and in particular, performance for delegation-heavy
zones:
+ The additional cache ("acache") was found not to significantly
improve performance and has been removed; the acache-enable
and acache-cleaning-interval options are now deprecated.
+ In place of the acache, named can now use a glue cache to
speed up retrieval of glue records when sending delegation
responses. Unlike acache, this feature is on by default; use
glue-cache no; to disable it.
+ The additional-from-cache and additional-from-auth options
have been deprecated.
+ minimal-responses is now set to yes by default.
+ Several functions have been refactored to improve performance,
including name compression, owner name case restoration,
hashing, and buffers.
* Several areas of code have been refactored for improved
readability, maintainability, and testability:
+ The named query logic implemented in query_find() has been
split into smaller functions with a context structure to
maintain state between them, and extensive comments have been
added. [RT #43929]
+ Similarly the iterative query logic implemented in
resquery_response() function has been split into smaller
functions and comments added. [RT #45362]
* Code implementing name server query processing has been moved from
named to an external library, libns. This will make it easier to
write unit tests for the code, or to link it into new tools. [RT
#45186]
* named can now synthesize NXDOMAIN responses from cached
DNSSEC-verified records returned in negative or wildcard responses.
This will reduce query loads on authoritative servers for signed
domains: if existing cached records can be used by the resolver to
determine that a name does not exist in the authorittive domain,
then no query needs to be sent.
This behavior is controlled by the new named.conf option
synth-from-dnssec. It is enabled by default.
Note: This initial implementation can only synthesize NXDOMAIN
responses, from NSEC records. Support for NODATA responses, wilcard
responses, and NSEC3 records will be added soon.
* The DNS Response Policy Service (DNSRPS) API, a mechanism to allow
named to use an external response policy provider, is now
supported. (One example of such a provider is "FastRPZ" from
Farsight Security, Inc.) This allows the same types of policy
filtering as standard RPZ, but can reduce the workload for named,
particularly when using large and frequently-updated policy zones.
It also enables named to share response policy providers with other
DNS implementations such as Unbound.
This feature is avaiable if BIND is built with configure
--enable-dnsrps, if a DNSRPS provider is installed, and if
dnsrps-enable is set to "yes" in named.conf. Standard built-in RPZ
is used otherwise.
Thanks to Vernon Schryver and Farsight Security for the
contribution. [RT #43376]
* Setting max-journal-size to default limits journal sizes to twice
the size of the zone contents. This can be overridden by setting
max-journal-size to unlimited or to an explicit value up to 2G.
Thanks to Tony Finch for the contribution. [RT #38324]
* dnstap logfiles can now be configured to automatically roll when
they reach a specified size. If dnstap-output is configured with
mode file, then it can take optional size and versions key-value
arguments to set the logfile rolling parameters. (These have the
same semantics as the corresponding options in a logging channel
statement.) [RT #44502]
* Logging channels and dnstap-output files can now be configured with
a suffix option, set to either increment or timestamp, indicating
whether log files should be given incrementing suffixes when they
roll over (e.g., logfile.0, .1, .2, etc) or suffixes indicating the
time of the roll. The default is increment. [RT #42838]
* The print-time option in the logging configuration can now take
arguments local, iso8601 or iso8601-utc to indicate the format in
which the date and time should be logged. For backward
compatibility, yes is a synonym for local. [RT #42585]
* nsupdate and rndc now accepts command line options -4 and -6 which
force using only IPv4 or only IPv6, respectively. [RT #45632]
* nsec3hash -r ("rdata order") takes arguments in the same order as
they appear in NSEC3 or NSEC3PARAM records. This makes it easier to
generate an NSEC3 hash using values cut and pasted from an existing
record. Thanks to Tony Finch for the contribution. [RT #45183]
* The new-zones-directory option allows named to store configuration
parameters for zones added via rndc addzone in a location other
than the working directory. Thanks to Petr Mens�k of Red Hat for
the contribution. [RT #44853]
* The dnstap-read -x option prints a hex dump of the wire format DNS
message encapsulated in each dnstap log entry. [RT #44816]
* The host -A option returns most records for a name, but omits types
RRSIG, NSEC and NSEC3.
* dig +ednsopt now accepts the names for EDNS options in addition to
numeric values. For example, an EDNS Client-Subnet option could be
sent using dig +ednsopt=ecs:.... Thanks to John Worley of Secure64
for the contribution. [RT #44461]
* Added support for the EDNS TCP Keepalive option (RFC 7828); this
allows negotiation of longer-lived TCP sessions to reduce the
overhead of setting up TCP for individual queries. [RT #42126]
* Added support for the EDNS Padding option (RFC 7830), which
obfuscates packet size analysis when DNS queries are sent over an
encrypted channel. [RT #42094]
* rndc commands which refer to zone names can now reference a zone of
type redirect by using the special zone name "-redirect".
(Previously this was not possible because redirect zones always
have the name ".", which can be ambiguous.)
In the event you need to manipulate a zone actually called
"-redirect", use a trailing dot: "-redirect."
Note: This change does not appply to the rndc addzone or rndc
modzone commands.
* named-checkconf -l lists the zones found in named.conf. [RT #43154]
* Query logging now includes the ECS option, if one was present in
the query, in the format "[ECS address/source/scope]".
Protocol Changes
* BIND can now use the Ed25519 and Ed448 Edwards Curve DNSSEC signing
algorithms described in RFC 8080. Note, however, that these
algorithms must be supported in OpenSSL; currently they are only
available in the development branch of OpenSSL at
https://github.com/openssl/openssl. [RT #44696]
* EDNS KEY TAG options are verified and printed.
Feature Changes
* The lightweight resolver daemon and library (lwresd and liblwres)
have been removed. [RT #45186]
* dnssec-keygen no longer has default algorithm settings. It is
necessary to explicitly specify the algorithm on the command line
with the -a option when generating keys. This may cause errors with
existing signing scripts if they rely on current defaults. The
intent is to reduce the long-term cost of transitioning to newer
algorithms in the event of RSASHA1 being deprecated. [RT #44755]
* dig +sigchase and related options +trusted-keys and +topdown have
been removed. delv is now the recommended command for looking up
records with DNSSEC validation. [RT #42793]
* The Response Policy Zone (RPZ) implementation has been
substantially refactored: updates to the RPZ summary database are
no longer directly performed by the zone database but by a separate
function that is called when a policy zone is updated. This
improves both performance and reliability when policy zones receive
frequent updates. Summary database updates can be rate-limited by
using the min-update-interval option in a response-policy
statement. [RT #43449]
* dnstap now stores both the local and remote addresses for all
messages, instead of only the remote address. The default output
format for dnstap-read has been updated to include these addresses,
with the initiating address first and the responding address
second, separated by "-%gt;" or "%lt;-" to indicate in which
direction the message was sent. [RT #43595]
* Expanded and improved the YAML output from dnstap-read -y: it now
includes packet size and a detailed breakdown of message contents.
[RT #43622] [RT #43642]
* Threads in named are now set to human-readable names to assist
debugging on operating systems that support that. Threads will have
names such as "isc-timer", "isc-sockmgr", "isc-worker0001", and so
on. This will affect the reporting of subsidiary thread names in ps
and top, but not the main thread. [RT #43234]
* If an ACL is specified with an address prefix in which the prefix
length is longer than the address portion (for example,
192.0.2.1/8), it will now be treated as a fatal error during
configuration. [RT #43367]
* dig now warns about .local queries which are reserved for Multicast
DNS. [RT #44783]
* The view associated with the query is now logged unless it it is
"_default/IN" or "_dnsclient/IN" when logging DNSSEC validator
messages.
* Multiple cookie-secret clauses are now supported. The first
cookie-secret in named.conf is used to generate new server cookies.
Any others are used to accept old server cookies or those generated
by other servers using the matching cookie-secret.
Bug Fixes
* None.
End of Life
The end of life for BIND 9.12 is yet to be determined but will not be
before BIND 9.14.0 has been released for 6 months.
https://www.isc.org/downloads/software-support-policy/
Thank You
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
http://www.isc.org/donate/.