An error in TSIG handling could permit unauthorized zone transfers or zone updates. These flaws are disclosed in CVE-2017-3142 and CVE-2017-3143. [RT #45383]

The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. This flaw is disclosed in CVE-2017-3141. [RT #45229]

With certain RPZ configurations, a response with TTL 0 could cause named to go into an infinite query loop. This flaw is disclosed in CVE-2017-3140. [RT #45181]

rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924]

Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]

dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653]

If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]

A coding error in the nxdomain-redirect feature could lead to an assertion failure if the redirection namespace was served from a local authoritative data source such as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]

named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]

named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]

named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]

It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]

Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties, as described in CVE-2016-6170. [RT #42143]

It was possible to trigger an assertion when rendering a message using a specially crafted request. This flaw is disclosed in CVE-2016-2776. [RT #43139]

Calling getrrsetbyname() with a non absolute name could trigger an infinite recursion bug in lwresd or named with lwres configured if, when combined with a search list entry from resolv.conf, the resulting name is too long. This flaw is disclosed in CVE-2016-2775. [RT #42694]

This release introduces support for the EDNS CLIENT-SUBNET (ECS) option in recursive servers.

See the ARM for more details of these options.

The EDNS CLIENT SUBNET (ECS) option is also experimentally supported for authoritative servers: if an authoritative query contains an ECS option, then ACLs containing geoip or ecs elements can be matched against the address or prefix encoded in the option. This can be used to select a view for the query, so that different answers can be provided depending on the client network. Note, however, that this authoritative support is based on an outdated version of the ECS specification; in its current form it may be useful for testing, but is not recommended for production use. Thanks to Vincent Bernat for the contribution. [RT #36781]

This release supports dnstap, a fast, flexible method for capturing and logging DNS traffic, developed by Robert Edmonds at Farsight Security, Inc., whose assistance is gratefully acknowledged.

To enable dnstap at compile time, the fstrm and protobuf-c libraries must be available, and BIND must be configured with --enable-dnstap.

dnstap data can be logged in two modes: to a file, or to a UNIX-domain socket, from which it can be collected by an external utility such as fstrm_capture.

A new utility dnstap-read has been added to allow dnstap data files to be presented in a human-readable format.

rndc dnstap -roll causes dnstap output files to be rolled like log files -- the most recent output file is renamed with a .0 suffix, the next most recent with .1, etc. (Note that this only works when dnstap output is being written to a file, not to a UNIX domain socket.) An optional numerical argument specifies how many backup log files to retain; if not specified or if set to 0, there is no limit.

dnstap logfiles can also be configured to automatically roll when they reach a specified size, by specifying size and versions parameters to the dnstap-output option.

For more information on dnstap, see http://dnstap.info.

When answering recursive queries, SERVFAIL responses can now be cached by the server for a limited time; subsequent queries for the same query name and type will return another SERVFAIL until the cache times out. This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive servers. The SERVFAIL cache timeout is controlled by servfail-ttl, which defaults to 1 second and has an upper limit of 30.

The nxdomain-redirect option specifies a DNS namespace to use for NXDOMAIN redirection. When a recursive lookup returns NXDOMAIN, a second lookup is initiated with the specified name appended to the query name. This allows NXDOMAIN redirection data to be supplied by multiple zones configured on the server, or by recursive queries to other servers. (The older method, using a single type redirect zone, has better average performance but is less flexible.) [RT #37989]

The rndc nta command can be used to set a "negative trust anchor" (NTA), disabling DNSSEC validation for a specific domain. This can be used when responses from a domain are known to be failing validation due to administrative error rather than because of a spoofing attack.

NTAs are strictly temporary; by default they expire after one hour, but can be configured to last up to one week. The default NTA lifetime can be changed by setting the nta-lifetime in named.conf.

By default, the domain covered by an NTA is checked periodically by named to see if it can now be successfully validated; if it can, the NTA is immediately removed. The recheck frequency can be configured using the nta-recheck option, which defaults to five minutes. Rechecks can be disabled on a per-NTA basis by using the rndc nta -force parameter.

When added, NTAs are stored in a file (viewname.nta) in order to persist across restarts of the named server.

rndc can now return text output of arbitrary size to the caller. Prior to this, certain commands such as rndc tsig-list and rndc zonestatus could return truncated output. [RT #37731]

Added support for the EDNS TCP Keepalive option (RFC 7828); this allows negotiation of longer-lived TCP sessions to reduce the overhead of setting up TCP for individual queries. [RT #42126]

Added support for the EDNS Padding option (RFC 7830), which obfuscates packet size analysis when DNS queries are sent over an encrypted channel. [RT #42094]

Added server-side support for pipelined TCP queries. Multiple queries from a single client can be received over the same TCP connection; the connection is no longer closed after the first query. All queries received over such a connection are handled in parallel.

To revert to the former behavior for a particular client address or range of addresses, specify the address prefix in the keep-response-order option. To revert to the former behavior for all clients, use keep-response order { any; };.

A read-only option is now available in the controls statement to grant non-destructive control channel access. In such cases, a restricted set of rndc commands are allowed, which can report information from named, but cannot reconfigure or stop the server. By default, the control channel access is not restricted to these read-only operations.

The print-time option in the logging configuration can now take arguments local, iso8601 or iso8601-utc to indicate the format in which the date and time should be logged. For backward compatibility, yes is a synonym for local. [RT #42585]

When sending queries to authoritative name servers, IPv6 servers are now given a slight preference over IPv4 servers. The best server to use is chosen on the basis of its measured round trip time (RTT); IPv4 servers are penalized by 50 milliseconds by default. This value is configurable using the v6-bias option.

NOTIFY messages now have separate rate limiting queues. Instead of being limited by the serial-query-rate option (which controls the rate at which SOA queries are sent by slave zones to master zones), the rate at which NOTIFY messages are sent to slaves is now controlled by notify-rate and startup-notify-rate (which applies to NOTIFY messages sent when a server is first started). This can improve startup time on servers hosting a large number of zones. [RT #24454]

New classification options have been added for response rate limiting (RRL):

Query logging now includes the ECS option, if one was present in the query, in the format "[ECS address/source/scope]".

dnstap now stores both the local and remote addresses for all messages, instead of only the remote address. The default output format for dnstap-read has been updated to include these addresses, with the initiating address first and the responding address second, separated by "-%gt;" or "%lt;-" to indicate in which direction the message was sent. [RT #43595]

The Response Policy Zone (RPZ) implementation has been substantially refactored: updates to the RPZ summary database are no longer directly performed by the zone database but by a separate function that is called when a policy zone is updated. This improves both performance and reliability when policy zones receive frequent updates. Summary database updates can be rate-limited by using the min-update-interval option in a response-policy statement. [RT #43449]

The names of the files used to store managed keys and added zones for each view are no longer based on the SHA256 hash of the view name, except when this is necessary because the view name contains characters that would be incompatible with use as a file name. For views whose names do not contain forward slashes ('/'), backslashes ('\'), or capital letters - which could potentially cause namespace collision problems on case-insensitive filesystems - files will now be named after the view (for example, internal.mkeys or external.nzf). However, to ensure consistent behavior when upgrading, if a file using the old name format is found to exist, it will continue to be used. [RT #37704]

"rndc" can now return text output of arbitrary size to the caller. (Prior to this, certain commands such as "rndc tsig-list" and "rndc zonestatus" could return truncated output.) [RT #37731]

The EDNS COOKIE option is now compiled in by default; it is no longer necessary to use configure --enable-sit to enable it.

Similarly, recursive fetch limits (fetches-per-server and fetches-per-zone) are also compiled in by default; it is no longer necessary to use configure --enable-fetchlimit to enable them.

Expanded and improved the YAML output from dnstap-read -y: it now includes packet size and a detailed breakdown of message contents. [RT #43622] [RT #43642]

Adaptive read-write locks reduce system overhead when a lock is only held for a brief time. This can significantly increase performance on multiprocessor systems. [RT #37329]

A flag could be set in the wrong field when setting up nonrecursive queries; this could cause the SERVFAIL cache to cache responses it shouldn't, and in some circumstances lead to an assertion failure. New querytrace logging has been added which identified this error. [RT #41155]

A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318]

named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were being processed at the same time. [RT #42770]

named could trigger an assertion when sending NOTIFY messages. [RT #44019]