Release Notes

Introduction

BIND 9.18 (Extended Support Version) is a stable branch of BIND. This document summarizes significant changes since the last production release on that branch.

Supported Platforms

See the Supported Platforms section in the Resource Requirements chapter.

Download

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Known Issues

  • Upgrading from BIND 9.16.32, 9.18.6, or any older version may require a manual configuration change. The following configurations are affected:

    In these cases please add inline-signing yes; to the individual zone configuration(s). Without applying this change, named will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing

  • BIND 9.18 does not support dynamic update forwarding (see allow-update-forwarding) in conjuction with zone transfers over TLS (XoT). [GL #3512]

  • According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

  • rndc has been updated to use the new BIND network manager API. As the network manager currently has no support for UNIX-domain sockets, those cannot now be used with rndc. This will be addressed in a future release, either by restoring UNIX-domain socket support or by formally declaring them to be obsolete in the control channel. [GL #1759]

  • Sending NOTIFY messages silently fails when the source port specified in the notify-source statement is already in use. This can happen e.g. when multiple servers are configured as NOTIFY targets for a zone and some of them are unresponsive. This issue can be worked around by not specifying the source port for NOTIFY messages in the notify-source statement; note that source port configuration is already deprecated and will be removed altogether in a future release. [GL #4002]

Notes for BIND 9.18.20

Feature Changes

  • The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. [GL #4101]

Bug Fixes

  • If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. [GL #4350]

  • Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. [GL #4355]

  • An assertion failure was triggered when lock-file was used at the same time as the named -X command-line option. This has been fixed. [GL #4386]

  • The lock-file file was being removed when it should not have been, making the statement ineffective when named was started three or more times. This has been fixed. [GL #4387]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.19

Security Fixes

  • Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341)

    ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. [GL #4152]

  • A flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure under significant DNS-over-TLS query load. This has been fixed. (CVE-2023-4236)

    ISC would like to thank Robert Story from USC/ISI Root Server Operations for bringing this vulnerability to our attention. [GL #4242]

Removed Features

Feature Changes

  • If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. [GL #1181]

Bug Fixes

  • The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). [GL #4124]

    This issue was reported independently by Eric Sesterhenn of X41 D-Sec GmbH and Cameron Whitehead.

  • The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. [GL #4125]

    This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

  • Several memory leaks caused by not clearing the OpenSSL error stack were fixed. [GL #4159]

    This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

  • The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. [GL #4280]

  • The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. [GL #4278]

  • BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. [GL #4038]

  • Previously, partial writes in the TLS DNS code were not accounted for correctly, which could have led to DNS message corruption. This has been fixed. [GL #4255]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.18

Feature Changes

  • When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. [GL #4215]

  • The dialup and heartbeat-interval options have been deprecated and will be removed in a future BIND 9 release. [GL #3700]

Bug Fixes

  • Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. [GL #4200]

  • Setting dnssec-policy to insecure prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations. [GL #4032]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.17

Feature Changes

  • If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. [GL #4049]

  • The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. [GL #3325]

Bug Fixes

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.16

Security Fixes

  • The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828)

    ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4055]

  • A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) [GL #4089]

New Features

  • The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). [GL #3978]

Removed Features

  • TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and will be removed in a future release. A warning will be logged when the tkey-dhkey option is used in named.conf. [GL #3905]

Bug Fixes

  • BIND could get stuck on reconfiguration when a listen-on statement for HTTP is removed from the configuration. That has been fixed. [GL #4071]

  • Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. [GL #3950]

  • BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. [GL #4038]

  • When the stale-answer-enable option was enabled and the stale-answer-client-timeout option was enabled and larger than 0, named previously allocated two slots from the clients-per-query limit for each client and failed to gradually auto-tune its value, as configured. This has been fixed. [GL #4074]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.15

Bug Fixes

  • The max-transfer-time-in and max-transfer-idle-in statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. [GL #4004]

  • The read timeout in rndc is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. [GL #4046]

  • When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. [GL #4005]

  • When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. [GL #4027]

  • Log file rotation code did not clean up older versions of log files when the logging channel had an absolute path configured as a file destination. This has been fixed. [GL #3991]

Known Issues

  • Sending NOTIFY messages silently fails when the source port specified in the notify-source statement is already in use. This can happen e.g. when multiple servers are configured as NOTIFY targets for a zone and some of them are unresponsive. This issue can be worked around by not specifying the source port for NOTIFY messages in the notify-source statement; note that source port configuration is already deprecated and will be removed altogether in a future release. [GL #4002]

  • See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.14

Removed Features

  • Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been deprecated. A warning is now logged when they are used.

    These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. [GL #3953]

Bug Fixes

  • Several bugs which could cause named to crash during catalog zone processing have been fixed. [GL #3955] [GL #3968] [GL #3997]

  • Previously, downloading large zones over TLS (XoT) from a primary could hang the transfer on the secondary, especially when the connection was unstable. This has been fixed. [GL #3867]

  • Performance of DNSSEC validation in zones with many DNSKEY records has been improved. [GL #3981]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.13

New Features

  • RPZ updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]

Feature Changes

  • Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when catalog zone updates are being applied after a catalog zone has been successfully transferred. [GL #3881]

  • libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup:

    • Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error.

    • Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower.

    • Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0.

    This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a single system call. [GL #3840]

Bug Fixes

  • named could crash with an assertion failure when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. This has been fixed. [GL #3911]

  • When named starts up, it sends a query for the DNSSEC key for each configured trust anchor to determine whether the key has changed. In some unusual cases, the query might depend on a zone for which the server is itself authoritative, and would have failed if it were sent before the zone was fully loaded. This has now been fixed by delaying the key queries until all zones have finished loading. [GL #3673]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.12

Removed Features

Bug Fixes

  • A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. [GL #3801]

  • The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. [GL #3795]

  • Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. [GL #3783]

  • Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. [GL #3827]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.11

Security Fixes

  • An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094)

    ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523]

  • named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736)

    ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622]

  • named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924)

    ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619]

New Features

  • The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523]

Removed Features

  • The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in named.conf now causes a warning to be logged. [GL #3773]

Feature Changes

  • The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744]

Bug Fixes

  • A rare assertion failure was fixed in outgoing TCP DNS connection handling. [GL #3178] [GL #3636]

  • Large zone transfers over TLS (XoT) could fail. This has been fixed. [GL #3772]

  • In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3752]

  • In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678]

  • When an outgoing request timed out, named would retry up to three times with the same server instead of trying the next available name server. This has been fixed. [GL #3637]

  • Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. [GL #3739]

  • The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. [GL #3743]

  • Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [GL #3725]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.10

Feature Changes

  • To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if stale-cache-enable is set to yes. [GL #3386]

  • The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667]

  • The coresize, datasize, files, and stacksize options have been deprecated. The limits these options set should be enforced externally, either by manual configuration (e.g. using ulimit) or via the process supervisor (e.g. systemd). [GL #3676]

  • Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (alt-transfer-source, alt-transfer-source-v6, and use-alt-transfer-source) will be removed in a future BIND 9.19.x release. [GL #3694]

  • The number of HTTP headers allowed in requests sent to named’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. [GL #3670]

Bug Fixes

  • named could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). This has been fixed. [GL #3693]

  • When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. This has been fixed. [GL #3683]

  • When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727]

  • TLS configuration for primary servers was not applied for zones that were members of a catalog zone. This has been fixed. [GL #3638]

  • In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183]

  • host and nslookup command-line options setting the custom TCP/UDP port to use were ignored for ANY queries (which are sent over TCP). This has been fixed. [GL #3721]

  • The zone <name>/<class>: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode. [GL #3707]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.9

Bug Fixes

  • A crash was fixed that happened when a dnssec-policy zone that used NSEC3 was reconfigured to enable inline-signing. [GL #3591]

  • In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3598]

  • rpz-ip rules in response-policy zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. This has been fixed. [GL #3247]

  • Previously, if Internet connectivity issues were experienced during the initial startup of named, a BIND resolver with dnssec-validation set to auto could enter into a state where it would not recover without stopping named, manually deleting the managed-keys.bind and managed-keys.bind.jnl files, and starting named again. This has been fixed. [GL #2895]

  • The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could overflow in certain resolution scenarios. This has been fixed. [GL #3584]

  • Previously, the port in remote servers such as in primaries and parental-agents could be wrongly configured because of an inheritance bug. This has been fixed. [GL #3627]

  • Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. [GL #3563]

  • When a DNS resource record’s TTL value was equal to the resolver’s configured prefetch “eligibility” value, the record was erroneously not treated as eligible for prefetching. This has been fixed. [GL #3603]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.8

Known Issues

New Features

  • Support for parsing and validating the dohpath service parameter in SVCB records was added. [GL #3544]

  • named now logs the supported cryptographic algorithms during startup and in the output of named -V. [GL #3541]

  • The recursion not available and query (cache) '...' denied log messages were extended to include the name of the ACL that caused a given query to be denied. [GL #3587]

Feature Changes

  • The ability to use PKCS#11 via engine_pkcs11 has been restored, by using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be compiled with -DOPENSSL_API_COMPAT=10100 specified in the CFLAGS environment variable at compile time. [GL #3578]

Bug Fixes

  • An assertion failure was fixed in named that was caused by aborting the statistics channel connection while sending statistics data to the client. [GL #3542]

  • Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. This has been fixed. [GL #3557]

Notes for BIND 9.18.7

Security Fixes

  • Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795)

    ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394]

  • When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) [GL #3493]

  • Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) [GL #3491]

  • named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517]

  • Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487]

Feature Changes

  • Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459]

  • Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. [GL #3381]

  • When reconfiguring dnssec-policy from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. [GL #3486]

  • A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in dig and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485]

Bug Fixes

  • A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.6

Feature Changes

  • The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]

  • Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]

Bug Fixes

  • When running as a validating resolver forwarding all queries to another resolver, named could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response and named failed its attempts to find a proper one instead. This has been fixed. [GL #3439]

  • Non-dynamic zones that inherit dnssec-policy from the view or options blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438]

  • The old max-zone-ttl zone option was meant to be superseded by the max-zone-ttl option in dnssec-policy; however, the latter option was not fully effective. This has been corrected: zones no longer load if they contain TTLs greater than the limit configured in dnssec-policy. For zones with both the old max-zone-ttl option and dnssec-policy configured, the old option is ignored, and a warning is generated. [GL #2918]

  • rndc dumpdb -expired was fixed to include expired RRsets, even if stale-cache-enable is set to no and the cache-cleaning time window has passed. [GL #3462]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.5

Feature Changes

Bug Fixes

  • An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]

  • When grafting non-delegated namespace onto delegated namespace, synth-from-dnssec could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]

  • Previously, named immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed: named acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]

  • Previously, rndc reconfig did not pick up changes to endpoints statements in http blocks. This has been fixed. [GL #3415]

  • It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.4

Feature Changes

  • New dnssec-policy configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]

Bug Fixes

  • The fetches-per-server quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]

  • DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]

  • Key files were updated every time the dnssec-policy key manager ran, whether the metadata had changed or not. named now checks whether changes were applied before writing out the key files. [GL #3302]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.3

Security Fixes

  • Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in named instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.

    ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]

Known Issues

  • According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

  • See above for a list of all known issues affecting this BIND 9 branch.

New Features

  • Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by named. All of the previously supported BIND-specific catalog zone custom properties (primaries, allow-query, and allow-transfer), as well as the new Change of Ownership (coo) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, the version property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]

  • Support DNS Extended Errors (RFC 8914) Stale Answer and Stale NXDOMAIN Answer when stale answers are returned from cache. [GL #2267]

  • Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]

Bug Fixes

  • Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the auto-dnssec maintain; option. This has been fixed. [GL #2931]

Notes for BIND 9.18.2

New Features

  • Add a new configuration option reuseport to disable load balancing on sockets in situations where processing of Response Policy Zones (RPZ), Catalog Zones, or large zone transfers can cause service disruptions. See the BIND 9 ARM for more detail. [GL #3249]

Bug Fixes

  • Previously, zone maintenance DNS queries retried forever if the destination server was unreachable. These queries included outgoing NOTIFY messages, refresh SOA queries, parental DS checks, and stub zone NS queries. For example, if a zone had any nameservers with IPv6 addresses and a secondary server without IPv6 connectivity, that server would keep trying to send a growing amount of NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive retry behavior has been fixed. [GL #3242]

  • A number of crashes and hangs which could be triggered in dig were identified and addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]

  • Invalid dnssec-policy definitions, where the defined keys did not cover both KSK and ZSK roles for a given algorithm, were being accepted. These are now checked, and the dnssec-policy is rejected if both roles are not present for all algorithms in use. [GL #3142]

  • Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. [GL #3200]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.1

Security Fixes

  • The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)

    ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]

  • TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]

  • Lookups involving a DNAME could trigger an assertion failure when synth-from-dnssec was enabled (which is the default). (CVE-2022-0635)

    ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. [GL #3158]

  • When chasing DS records, a timed-out or artificially delayed fetch could cause named to crash while resuming a DS lookup. (CVE-2022-0667) [GL #3129]

Feature Changes

  • The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent by a client are now included in the client information sent to DLZ modules when processing queries. [GL #3082]

  • DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]

  • The limit on the number of simultaneously processed pipelined DNS queries received over TCP has been removed. Previously, it was capped at 23 queries processed at the same time. [GL #3141]

Bug Fixes

  • A failed view configuration during a named reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other unexpected errors. This has been fixed. [GL #3060]

  • Previously, named logged a “quota reached” message when it hit its hard quota on the number of connections. That message was accidentally removed but has now been restored. [GL #3125]

  • The max-transfer-time-out and max-transfer-idle-out options were not implemented when the BIND 9 networking stack was refactored in 9.16. The missing functionality has been re-implemented and outgoing zone transfers now time out properly when not progressing. [GL #1897]

  • TCP connections could hang indefinitely if the other party did not read sent data, causing the TCP write buffers to fill. This has been fixed by adding a “write” timer. Connections that are hung while writing now time out after the tcp-idle-timeout period has elapsed. [GL #3132]

  • Client TCP connections are now closed immediately when data received cannot be parsed as a valid DNS request. [GL #3149]

  • The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could be miscalculated in certain resolution scenarios, potentially causing the value of the counter to drop below zero. This has been fixed. [GL #3147]

  • An error in the processing of the blackhole ACL could cause some DNS requests sent by named to fail - for example, zone transfer requests and SOA refresh queries - if the destination address or prefix was specifically excluded from the ACL using !, or if the ACL was set to none. This has now been fixed. blackhole worked correctly when it was left unset, or if only positive-match elements were included. [GL #3157]

  • Build errors were introduced in some DLZ modules due to an incomplete change in the previous release. This has been fixed. [GL #3111]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.18.0

Note

This section only lists changes since BIND 9.16.25, the most recent release on the previous stable branch of BIND before the publication of BIND 9.18.0.

Known Issues

  • rndc has been updated to use the new BIND network manager API. As the network manager currently has no support for UNIX-domain sockets, those cannot now be used with rndc. This will be addressed in a future release, either by restoring UNIX-domain socket support or by formally declaring them to be obsolete in the control channel. [GL #1759]

  • See above for a list of all known issues affecting this BIND 9 branch.

New Features

  • named now supports securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH).

    named can use either a certificate provided by the user or an ephemeral certificate generated automatically upon startup. The tls block allows fine-grained control over TLS parameters. [GL #1840] [GL #2795] [GL #2796]

    For debugging purposes, named logs TLS pre-master secrets when the SSLKEYLOGFILE environment variable is set. This enables troubleshooting of issues with encrypted traffic. [GL #2723]

  • Support for DNS over TLS (DoT) has been added to named. Network interfaces for DoT are configured using the existing listen-on directive, while TLS parameters are configured using the new tls block. [GL #1840]

    named supports zone transfers over TLS (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.

    Incoming zone transfers over TLS are enabled by adding the tls keyword, followed by either the name of a previously configured tls block or the string ephemeral, to the addresses included in primaries lists. [GL #2392]

    Similarly, the allow-transfer option was extended to accept additional port and transport parameters, to further restrict outgoing zone transfers to a particular port and/or DNS transport protocol. [GL #2776]

    Note that zone transfers over TLS (XoT) require the dot Application-Layer Protocol Negotiation (ALPN) token to be selected in the TLS handshake, as required by RFC 9103 section 7.1. This might cause issues with non-compliant XoT servers. [GL #2794]

    The dig tool is now able to send DoT queries (+tls option). [GL #1840]

    There is currently no support for forwarding DNS queries via DoT.

  • Support for DNS over HTTPS (DoH) has been added to named. Both TLS-encrypted and unencrypted connections are supported (the latter may be used to offload encryption to other software). Network interfaces for DoH are configured using the existing listen-on directive, while TLS parameters are configured using the new tls block and HTTP parameters are configured using the new http block. [GL #1144] [GL #2472]

    Server-side quotas on both the number of concurrent DoH connections and the number of active HTTP/2 streams per connection can be configured using the global http-listener-clients and http-streams-per-connection options, or the listener-clients and streams-per-connection parameters in an http block. [GL #2809]

    The dig tool is now able to send DoH queries (+https option). [GL #1641]

    There is currently no support for forwarding DNS queries via DoH.

    DoH support can be disabled at compile time using a new build-time option, --disable-doh. This allows BIND 9 to be built without the libnghttp2 library. [GL #2478]

  • A new logging category, rpz-passthru, was added, which allows RPZ passthru actions to be logged into a separate channel. [GL #54]

  • A new option, nsdname-wait-recurse, has been added to the response-policy clause in the configuration file. When set to no, RPZ NSDNAME rules are only applied if the authoritative nameservers for the query name have been looked up and are present in the cache. If this information is not present, the RPZ NSDNAME rules are ignored, but the information is looked up in the background and applied to subsequent queries. The default is yes, meaning that RPZ NSDNAME rules should always be applied, even if the information needs to be looked up first. [GL #1138]

  • Support for HTTPS and SVCB record types now also includes ADDITIONAL section processing for these record types. [GL #1132]

  • New configuration options, tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer, and udp-send-buffer, have been added. These options allow the operator to fine-tune the receiving and sending buffers in the operating system. On busy servers, increasing the size of the receive buffers can prevent the server from dropping packets during short traffic spikes, and decreasing it can prevent the server from becoming clogged with queries that are too old and have already timed out. [GL #2313]

  • New finer-grained update-policy rule types, krb5-subdomain-self-rhs and ms-subdomain-self-rhs, were added. These rule types restrict updates to SRV and PTR records so that their content can only match the machine name embedded in the Kerberos principal making the change. [GL #481]

  • Per-type record count limits can now be specified in update-policy statements, to limit the number of records of a particular type that can be added to a domain name via dynamic update. [GL #1657]

  • Support for OpenSSL 3.0 APIs was added. [GL #2843] [GL #3057]

  • Extended DNS Error Code 18 - Prohibited (see RFC 8914 section 4.19) is now set if query access is denied to the specific client. [GL #1836]

  • ipv4only.arpa is now served when DNS64 is configured. [GL #385]

  • dig can now report the DNS64 prefixes in use (+dns64prefix). This is useful when the host on which dig is run is behind an IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a Service). [GL #1154]

  • dig output now includes the transport protocol used (UDP, TCP, TLS, HTTPS). [GL #1144] [GL #1816]

  • dig +qid=<num> allows the user to specify a particular query ID for testing purposes. [GL #1851]

Removed Features

  • Support for the map zone file format (masterfile-format map;) has been removed. Users relying on the map format are advised to convert their zones to the raw format with named-compilezone and change the configuration appropriately prior to upgrading BIND 9. [GL #2882]

  • Old-style Dynamically Loadable Zones (DLZ) drivers that had to be enabled in named at build time have been removed. New-style DLZ modules should be used as a replacement. [GL #2814]

  • Support for compiling and running BIND 9 natively on Windows has been completely removed. The last stable release branch that has working Windows support is BIND 9.16. [GL #2690]

  • Native PKCS#11 support has been removed. [GL #2691]

    When built against OpenSSL 1.x, BIND 9 now uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL engine which is part of the OpenSC project.

    As support for so-called “engines” was deprecated in OpenSSL 3.x, compiling BIND 9 against an OpenSSL 3.x build which does not retain support for deprecated APIs makes it impossible to use PKCS#11 in BIND 9. A replacement for engine_pkcs11 which employs the new “provider” approach introduced in OpenSSL 3.x is in the making. [GL #2843]

  • The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from the BIND distribution, as well as the isc Python package. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.

    An archival version of the Python utilities has been moved to the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/. Please note these tools are no longer supported by ISC.

  • Since the old socket manager API has been removed, “socketmgr” statistics are no longer reported by the statistics-channels. [GL #2926]

  • The glue-cache option has been marked as deprecated. The glue cache feature still works and will be permanently enabled in a future release. [GL #2146]

  • A number of non-working configuration options that had been marked as obsolete in previous releases have now been removed completely. Using any of the following options is now considered a configuration failure: acache-cleaning-interval, acache-enable, additional-from-auth, additional-from-cache, allow-v6-synthesis, cleaning-interval, dnssec-enable, dnssec-lookaside, filter-aaaa, filter-aaaa-on-v4, filter-aaaa-on-v6, geoip-use-ecs, lwres, max-acache-size, nosit-udp-size, queryport-pool-ports, queryport-pool-updateinterval, request-sit, sit-secret, support-ixfr, use-queryport-pool, use-ixfr. [GL #1086]

  • The dig option +unexpected has been removed. [GL #2140]

  • IPv6 sockets are now explicitly restricted to sending and receiving IPv6 packets only. As this breaks the +mapped option for dig, the option has been removed. [GL #3093]

  • Disable and disallow static linking of BIND 9 binaries and libraries as BIND 9 modules require dlopen() support and static linking also prevents using security features like read-only relocations (RELRO) or address space layout randomization (ASLR) which are important for programs that interact with the network and process arbitrary user input. [GL #1933]

  • The --with-gperftools-profiler configure option was removed. To use the gperftools profiler, the HAVE_GPERFTOOLS_PROFILER macro now needs to be manually set in CFLAGS and -lprofiler needs to be present in LDFLAGS. [GL !4045]

Feature Changes

  • Aggressive Use of DNSSEC-Validated Cache (synth-from-dnssec, see RFC 8198) is now enabled by default again, after having been disabled in BIND 9.14.8. The implementation of this feature was reworked to achieve better efficiency and tuned to ignore certain types of broken NSEC records. Negative answer synthesis is currently only supported for zones using NSEC. [GL #1265]

  • The default NSEC3 parameters for dnssec-policy were updated to no extra SHA-1 iterations and no salt (NSEC3PARAM 1 0 0 -). This change is in line with the latest NSEC3 recommendations. [GL #2956]

  • The default for dnssec-dnskey-kskonly was changed to yes. This means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by default. The additional signatures prepared using the ZSK when the option is set to no add to the DNS response payload without offering added value. [GL #1316]

  • dnssec-cds now only generates SHA-2 DS records by default and avoids copying deprecated SHA-1 records from a child zone to its delegation in the parent. If the child zone does not publish SHA-2 CDS records, dnssec-cds will generate them from the CDNSKEY records. The -a algorithm option now affects the process of generating DS digest records from both CDS and CDNSKEY records. Thanks to Tony Finch. [GL #2871]

  • Previously, named accepted FORMERR responses both with and without an OPT record, as an indication that a given server did not support EDNS. To implement full compliance with RFC 6891, only FORMERR responses without an OPT record are now accepted. This intentionally breaks communication with servers that do not support EDNS and that incorrectly echo back the query message with the RCODE field set to FORMERR and the QR bit set to 1. [GL #2249]

  • The question section is now checked when processing AXFR, IXFR, and SOA replies while transferring a zone in. [GL #1683]

  • DNS Flag Day 2020: the EDNS buffer size probing code, which made the resolver adjust the EDNS buffer size used for outgoing queries based on the successful query responses and timeouts observed, was removed. The resolver now always uses the EDNS buffer size set in edns-udp-size for all outgoing queries. [GL #2183]

  • Keeping stale answers in cache (stale-cache-enable) has been disabled by default. [GL #1712]

  • Overall memory use by named has been optimized and significantly reduced, especially for resolver workloads. [GL #2398] [GL #3048]

  • Memory allocation is now based on the memory allocation API provided by the jemalloc library, on platforms where it is available. Use of this library is now recommended when building BIND 9; although it is optional, it is enabled by default. [GL #2433]

  • Internal data structures maintained for each cache database are now grown incrementally when they need to be expanded. This helps maintain a steady response rate on a loaded resolver while these internal data structures are resized. [GL #2941]

  • The interface handling code has been refactored to use fewer resources, which should lead to less memory fragmentation and better startup performance. [GL #2433]

  • When reporting zone types in the statistics channel, the terms primary and secondary are now used instead of master and slave, respectively. [GL #1944]

  • The rndc nta -dump and rndc secroots commands now both include validate-except entries when listing negative trust anchors. These are indicated by the keyword permanent in place of the expiry date. [GL #1532]

  • The output of rndc serve-stale status has been clarified. It now explicitly reports whether retention of stale data in the cache is enabled (stale-cache-enable), and whether returning such data in responses is enabled (stale-answer-enable). [GL #2742]

  • Previously, using dig +bufsize=0 had the side effect of disabling EDNS, and there was no way to test the remote server’s behavior when it had received a packet with EDNS0 buffer size set to 0. This is no longer the case; dig +bufsize=0 now sends a DNS message with EDNS version 0 and buffer size set to 0. To disable EDNS, use dig +noedns. [GL #2054]

  • BIND 9 binaries which are neither daemons nor administrative programs were moved to $bindir. Only ddns-confgen, named, rndc, rndc-confgen, and tsig-confgen were left in $sbindir. [GL #1724]

  • The BIND 9 build system has been changed to use a typical autoconf+automake+libtool stack. This should not make any difference for people building BIND 9 from release tarballs, but when building BIND 9 from the Git repository, autoreconf -fi needs to be run first. Extra attention is also needed when using non-standard configure options. [GL #4]

Bug Fixes

  • Log files using timestamp-style suffixes were not always correctly removed when the number of files exceeded the limit set by versions. This has been fixed. [GL #828]

License

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

End of Life

BIND 9.18 (Extended Support Version) will be supported until at least December, 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible.