Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9.9.10-S1 Release Notes
Author: Michael McNally Reference Number: AA-01486 Views: 4916 Created: 2017-04-19 21:56 Last Updated: 2017-04-19 21:56 0 Rating/ Voters

Introduction

This is a release of the BIND 9.9 Supported Preview Edition, a special feature preview branch of BIND which is available to ISC customers.

This document summarizes significant changes since the last production release of BIND on the corresponding major release branch. Please see the file CHANGES for a complete list of bug fixes and other changes, or CHANGES.SE for a list of changes that have been applied specifically to the Supported Preview edition.

Download

The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

New DNSSEC Root Key

ICANN is in the process of introducing a new Key Signing Key (KSK) for the global root zone. BIND has multiple methods for managing DNSSEC trust anchors, with somewhat different behaviors. If the root key is configured using the managed-keys statement, or if the pre-configured root key is enabled by using dnssec-validation auto, then BIND can keep keys up to date automatically. Servers configured in this way will roll seamlessly to the new key when it is published in the root zone. However, keys configured using the trusted-keys statement are not automatically maintained. If your server is performing DNSSEC validation and is configured using trusted-keys, you are advised to change your configuration before the root zone begins signing with the new KSK. This is currently scheduled for October 11, 2017.

This release includes an updated version of the bind.keys file containing the new root key. This file can also be downloaded from https://www.isc.org/bind-keys .

Security Fixes

  • rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924]

  • Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]

  • dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653]

  • If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]

  • named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]

  • named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]

  • named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]

  • It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]

  • Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties, as described in CVE-2016-6170. [RT #42143]

  • It was possible to trigger an assertion when rendering a message using a specially crafted request. This flaw is disclosed in CVE-2016-2776. [RT #43139]

  • Calling getrrsetbyname() with a non- absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. This flaw is disclosed in CVE-2016-2775. [RT #42694]

New Features

  • dnstap logfiles can now be configured to automatically roll when they reach a specified size. If dnstap-output is configured with mode file, then it can take optional size and versions key-value arguments to set the logfile rolling parameters. (These have the same semantics as the corresponding options in a logging channel statement.) [RT #44502]

Feature Changes

  • dnstap now stores both the local and remote addresses for all messages, instead of only the remote address. The default output format for dnstap-read has been updated to include these addresses, with the initiating address first and the responding address second, separated by "-%gt;" or "%lt;-" to indicate in which direction the message was sent. [RT #43595]

  • The ISC DNSSEC Lookaside Validation (DLV) service is scheduled to be disabled in 2017. A warning is now logged when named is configured to use this service, either explicitly or via dnssec-lookaside auto;. [RT #42207]

  • Updated the compiled-in addresses for H.ROOT-SERVERS.NET and L.ROOT-SERVERS.NET.

  • The default value for servfail-ttl has been reduced from 10 seconds to 1; the maximum value has been reduced from 300 seconds to 30. [RT #37556]

  • The default preferred glue is now the address type of the transport the query was received over.

  • On machines with 2 or more processors (CPU), the default value for the number of UDP listeners has been changed to the number of detected processors minus one.

  • Zone transfers now use smaller message sizes to improve message compression. This results in reduced network usage.

  • named -V output now also includes operating system details.

  • Expanded and improved the YAML output from dnstap-read -y: it now includes packet size and a detailed breakdown of message contents. [RT #43622] [RT #43642]

Porting Changes

  • Fixed a build error that could occur on Solaris. [RT #43214]

    The Microsoft Windows install tool BINDInstall.exe which requires a non-free version of Visual Studio to be built, now uses two files (lists of flags and files) created by the Configure perl script with all the needed information which were previously compiled in the binary. Read win32utils/build.txt for more details. [RT #38915]

Bug Fixes

  • A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318]

  • named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were being processed at the same time. [RT #42770]

  • named could trigger an assertion when sending NOTIFY messages. [RT #44019]

  • Reverted a change to the query logging format that had been inadvertently backported from a later release of BIND. [RT #43238]

  • Windows installs were failing due to triggering UAC without the installation binary being signed.

  • A change in the internal binary representation of the RBT database node structure enabled a race condition to occur (especially when BIND was built with certain compilers or optimizer settings), leading to inconsistent database state which caused random assertion failures. [RT #42380]

  • rndc flushtree now works even if there wasn't a cached node at the specified name. [RT #41846]

  • Don't emit records with zero TTL unless the records were received with a zero TTL. After being returned to waiting clients, the answer will be discarded from the cache. [RT #41687]

  • "rndc" can now return text output of arbitrary size to the caller. (Prior to this, certain commands such as "rndc tsig-list" and "rndc zonestatus" could return truncated output.)

  • When deleting records from a zone database, interior nodes could be left empty but not deleted, damaging search performance afterward. [RT #40997] [RT #41941]

  • Negative trust anchors (NTAs) were incorrectly deleted when the server was reloaded or reconfigured. [RT #41058]

  • The server could crash due to a use-after-free if a zone transfer timed out. [RT #41297]

  • Some of the options for GeoIP ACLs, including "areacode", "metrocode", and "timezone", were incorrectly documented as "area", "metro" and "tz". Both the long and abbreviated versions are now accepted.

  • Authoritative servers that were marked as bogus (e.g. blackholed in configuration or with invalid addresses) were being queried anyway. [RT #41321]

  • Windows installs were failing due to triggering UAC without the installation binary being signed.

  • A race condition in rbt/rbtdb was leading to INSISTs being triggered. [RT #42379]

End of Life

BIND 9.9 (Extended Support Version) will be supported until December, 2017. BIND 9.9-S (Supported Preview Edition) releases will continue to be published in tandem with BIND 9.9 releases until the Supported Preview Edition moves to new branch, which may happen before BIND 9.9 reaches end of life, but not later. See https://www.isc.org/downloads/software-support-policy/

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu