* also sync rc scrpt with base system.
Bug Fixes
9.7.3
* BIND now builds with threads disabled in versions of NetBSD earlier
than 5.0 and with pthreads enabled by default in NetBSD versions
5.0 and higher. Also removes support for unproven-pthreads,
mit-pthreads and ptl2. [RT #19203]
* Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
to properly update the zone when adding a DNSKEY for publication
only). [RT #21324]
* "nsupdate -l" now gives error message if "session.key" file is not
found. [RT #21670]
* HPUX now correctly defaults to using /dev/poll, which should
increase performance. [RT #21919]
* If named is running as a threaded application, after an "rndc stop"
command has been issued, other inbound TCP requests can cause named
to hang and never complete shutdown. [RT #22108]
* After an "rndc reconfig", the refresh timer for managed-keys is
ignored, resulting in managed-keys not being refreshed until named
is restarted. [RT #22296]
* An NSEC3PARAM record placed inside a zone which is not properly
signed with NSEC3 could cause named to crash, if changed via
dynamic update. [RT #22363]
* "rndc -h" now includes "loadkeys" option. [RT #22493]
* When performing a GSS-TSIG signed dynamic zone update, memory could
be leaked. This causes an unclean shutdown and may affect
long-running servers. [RT #22573]
* A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
allows for a TCP DoS attack. Until there is a kernel fix, ISC is
disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
* When signing records, named didn't filter out any TTL changes to
DNSKEY records. This resulted in an incomplete key set. TTL changes
are now dealt with before signing. [RT #22590]
* Corrected a defect where a combination of dynamic updates and zone
transfers incorrectly locked the in-memory zone database, causing
named to freeze. [RT #22614]
* Don't run MX checks (check-mx) when the MX record points to ".".
[RT #22645]
* DST key reference counts can now be incremented via dst_key_attach.
[RT #22672]
* The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
were updated/corrected per current Windows OS. [RT #22724]
* "dnssec-settime -S" no longer tests prepublication interval
validity when the interval is set to 0. [RT #22761]
* isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
attr. [RT #22766]
* The Kerberos realm was being truncated when being pulled from the
the host prinicipal, make krb5-self updates fail. [RT #22770]
* named failed to preserve the case of domain names in RDATA which is
not compressible when writing master files. [RT #22863]
* The man page for dnssec-keyfromlabel incorrectly had "-U" rather
than the correct option "-I". [RT #22887]
* The "rndc" command usage statement was missing the "-b" option. [RT
#22937]
* There was a bug in how the clients-per-query code worked with some
query patterns. This could result, in rare circumstances, in having
all the client query slots filled with queries for the same DNS
label, essentially ignoring the max-clients-per-query setting. [RT
#22972]
* The secure zone update feature in named is based on the zone being
signed and configured for dynamic updates. A bug in the ACL
processing for "allow-update { none; };" resulted in a zone that is
supposed to be static being treated as a dynamic zone. Thus, name
would try to sign/re-sign that zone erroneously. [RT #23120]
http://www.isc.org/announcement/guidance-regarding-dec-1st-2010-security-advisories
CVE: CVE-2010-3613
CERT: VU#706148
BIND: cache incorrectly allows a ncache entry and a rrsig for the same type
CVE: CVE-2010-3614
CERT: VU#837744
BIND: Key algorithm rollover bug in bind9
CVE: CVE-2010-3615
CERT: VU#510208
BIND: allow-query processed incorrectly
New Features
* Zones may be dynamically added and removed with the "rndc addzone"
and "rndc delzone" commands. These dynamically added zones are
written to a per-view configuration file. Do not rely on the
configuration file name nor contents as this will change in a
future release. This is an experimental feature at this time.
* Added new "filter-aaaa-on-v4" access control list to select which
IPv4 clients have AAAA record filtering applied.
* A new command "rndc secroots" was added to dump a combined summary
of the currently managed keys combined with statically configured
trust anchors.
* Added support to load new keys into managed zones without signing
immediately with "rndc loadkeys". Added support to link keys with
"dnssec-keygen -S" and "dnssec-settime -S".
Changes
* Documentation improvements
* ORCHID prefixes were removed from the automatic empty zone list.
* Improved handling of GSSAPI security contexts. Specifically, better
memory management of cached contexts, limited lifetime of a context
to 1 hour, and added a "realm" command to nsupdate to allow
selection of a non-default realm name.
* The contributed tool "ztk" was updated to version 1.0.
Security Fixes
* If BIND, acting as a DNSSEC validating server, has two or more
trust anchors configured in named.conf for the same zone (such as
example.com) and the response for a record in that zone from the
authoritative server includes a bad signature, the validating
server will crash while trying to validate that query.
* A flaw where the wrong ACL was applied was fixed. This flaw allowed
access to a cache via recursion even though the ACL disallowed it.
Bug Fixes
* Removed a warning message when running BIND 9 under Windows for
when a TCP connection was aborted. This is a common occurrence and
the warning was extraneous.
* Worked around a race condition in the cache database memory
handling. Without this fix a DNS cache DB or ADB could incorrectly
stay in an over memory state, effectively refusing further caching,
which subsequently made a BIND 9 caching server unworkable.
* Partially disabled change 2864 because it would cause infinite
attempts of RRSIG queries.
* BIND did not properly handle non-cacheable negative responses from
insecure zones. This caused several non-protocol-compliant zones to
become unresolvable. BIND is now more accepting of responses it
receives from less strict servers.
* A bug, introduced in BIND 9.7.2, caused named to fail to start if a
master zone file was unreadable or missing. This has been corrected
in 9.7.2-P1.
* BIND previously accepted answers from authoritative servers that
did not provide a "proper" response, such as not setting AA bit.
BIND was changed to be more strict in what it accepted but this
caused operational issues. This new strictness has been backed out
in 9.7.2-P1.
--- 9.7.1-P2 released ---
2931. [security] Temporarily and partially disable change 2864
because it would cause inifinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]
--- 9.7.1-P1 released ---
2926. [rollback] Temporarially rollback change 2748. [RT #21594]
2925. [bug] Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555]
--- 9.7.1 released ---
--- 9.7.1rc1 released ---
2909. [bug] named-checkconf -p could die if "update-policy local;"
was specified in named.conf. [RT #21416]
2908. [bug] It was possible for re-signing to stop after removing
a DNSKEY. [RT #21384]
2907. [bug] The export version of libdns had undefined references.
[RT #21444]
2906. [bug] Address RFC 5011 implementation issues. [RT #20903]
2905. [port] aix: set use_atomic=yes with native compiler.
[RT #21402]
2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392]
2903. [bug] managed-keys-directory missing from namedconf.c.
[RT #21370]
--- 9.7.1b1 released ---
2902. [func] Add regression test for change 2897. [RT #21040]
2901. [port] Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
2900. [bug] The placeholder negative caching element was not
properly constructed triggering a INSIST in
dns_ncache_towire(). [RT #21346]
2899. [port] win32: Support linking against OpenSSL 1.0.0.
2898. [bug] nslookup leaked memory when -domain=value was
specified. [RT #21301]
2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]
2896. [bug] "rndc sign" failed to properly update the zone
when adding a DNSKEY for publication only. [RT #21045]
2895. [func] genrandom: add support for the generation of multiple
files. [RT #20917]
2894. [contrib] DLZ LDAP support now use '$' not '%'. [RT #21294]
2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
2892. [bug] Handle REVOKED keys better. [RT #20961]
2891. [maint] Update empty-zones list to match
draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]
2889. [bug] Elements of the grammar where not properly reported.
[RT #21046]
2888. [bug] Only the first EDNS option was displayed. [RT #21273]
2887. [bug] Report the keytag times in UTC in the .key file,
local time is presented as a comment within the
comment. [RT #21223]
2886. [bug] ctime() is not thread safe. [RT #21223]
2885. [bug] Improve -fno-strict-aliasing support probing in
configure. [RT #21080]
2884. [bug] Insufficient valadation in dns_name_getlabelsequence().
[RT #21283]
2883. [bug] 'dig +short' failed to handle really large datasets.
[RT #21113]
2882. [bug] Remove memory context from list of active contexts
before clearing 'magic'. [RT #21274]
2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]
2880. [cleanup] Make the output of dnssec-keygen and dnssec-revoke
consistent. [RT #21078]
2879. [contrib] DLZ bdbhpt driver fails to close correct cursor.
[RT #21106]
2878. [func] Incrementally write the master file after performing
a AXFR. [RT #21010]
2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138]
2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131]
2875. [bug] dns_time64_fromtext() could accept non digits.
[RT #21033]
2874. [bug] Cache lack of EDNS support only after the server
successfully responds to the query using plain DNS.
[RT #20930]
2873. [bug] Canceling a dynamic update via the dns/client module
could trigger an assertion failure. [RT #21133]
2872. [bug] Modify dns/client.c:dns_client_createx() to only
require one of IPv4 or IPv6 rather than both.
[RT #21122]
2871. [bug] Type mismatch in mem_api.c between the definition and
the header file, causing build failure with
--enable-exportlib. [RT #21138]
2870. [maint] Add AAAA address for L.ROOT-SERVERS.NET.
2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
[RT #20877]
2868. [cleanup] Run "make clean" at the end of configure to ensure
any changes made by configure are integrated.
Use --with-make-clean=no to disable. [RT #20994]
2867. [bug] Don't set GSS_C_SEQUENCE_FLAG as Windows DNS servers
don't like it. [RT #20986]
2866. [bug] Windows does not like the TSIG name being compressed.
[RT #20986]
2865. [bug] memset to zero event.data. [RT #20986]
2864. [bug] Direct SIG/RRSIG queries were not handled correctly.
[RT #21050]
2863. [port] linux: disable IPv6 PMTUD and use network minimum MTU.
[RT #21056]
2862. [bug] nsupdate didn't default to the parent zone when
updating DS records. [RT #20896]
2861. [doc] dnssec-settime man pages didn't correctly document the
inactivation time. [RT #21039]
2860. [bug] named-checkconf's usage was out of date. [RT #21039]
2859. [bug] When cancelling validation it was possible to leak
memory. [RT #20800]
2858. [bug] RTT estimates were not being adjusted on ICMP errors.
[RT #20772]
2857. [bug] named-checkconf did not fail on a bad trusted key.
[RT #20705]
2856. [bug] The size of a memory allocation was not always properly
recorded. [RT #20927]
2853. [bug] add_sigs() could run out of scratch space. [RT #21015]
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
2851. [doc] nslookup.1, removed <informalexample> from the docbook
source as it produced bad nroff. [RT #21007]
2850. [bug] If isc_heap_insert() failed due to memory shortage
the heap would have corrupted entries. [RT #20951]
(This is simply based on net/bind96).
BIND 9.7.0pl2 (9.7.0-P2)
New Features in BIND 9.7 - 'DNSSEC for Humans'
BIND 9.7 introduces several improvements, especially for simplifying
DNSSEC configuration and DNSSEC maintenance. This article lists some
of the new features and significant changes in BIND 9.7.
For more information please refer these webpage.
http://www.isc.org/software/bind/new-features/9.7http://www.isc.org/files/release-notes/9.7.0-P2%20rel%20notes.txt
taca