Release Notes
Contents
Introduction
BIND 9.19 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.20 release, this document will be updated with additional features added and bugs fixed. Please see the CHANGES file for a more detailed list of changes and bug fixes.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Notes for BIND 9.19.3
New Features
A new command,
rndc fetchlimit
, prints a list of name server addresses that are currently rate-limited due tofetches-per-server
and domain names that are rate-limited due tofetches-per-zone
. [GL #665]
Removed Features
The
glue-cache
option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]
Feature Changes
To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if
stale-cache-enable
is set toyes
. [GL #3386]The
dnssec-signzone -H
default value has been changed to 0 additional NSEC3 iterations. This change aligns thednssec-signzone
default with the default used by thednssec-policy
feature. At the same time, documentation about NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]
When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec
could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]Previously,
named
immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed:named
acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]Previously,
rndc reconfig
did not pick up changes toendpoints
statements inhttp
blocks. This has been fixed. [GL #3415]It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]
Notes for BIND 9.19.2
Feature Changes
New
dnssec-policy
configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]
Bug Fixes
The
fetches-per-server
quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]
Key files were updated every time the
dnssec-policy
key manager ran, whether the metadata had changed or not.named
now checks whether changes were applied before writing out the key files. [GL #3302]
Notes for BIND 9.19.1
Security Fixes
Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in
named
instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]
New Features
Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by
named
. All of the previously supported BIND-specific catalog zone custom properties (primaries
,allow-query
, andallow-transfer
), as well as the new Change of Ownership (coo
) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, theversion
property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]Support DNS Extended Errors (RFC 8914)
Stale Answer
andStale NXDOMAIN Answer
when stale answers are returned from cache. [GL #2267]The Object Identifier (OID) embedded at the start of a PRIVATEOID public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. The Object Identifier is now printed when the
dig +rrcomments
option is used. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3234]The Object Identifier (OID) embedded at the start of a PRIVATEOID signature in a SIG, or RRSIG resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3296]
Bug Fixes
Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the
auto-dnssec maintain;
option. This has been fixed. [GL #2931]
Notes for BIND 9.19.0
Known Issues
According to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
New Features
Add support for remote TLS certificate verification, both to
named
anddig
, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]dnssec-verify
anddnssec-signzone
now accept a-J
option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]
Removed Features
The
keep-order-response
option has been declared obsolete and the functionality has been removed.named
expects DNS clients to be fully compliant with RFC 7766. [GL #3140]
Feature Changes
Run RPZ updates on the specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This should increase the responsiveness of
named
when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING
file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.19 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.20, which will be a stable branch. The end-of-life date for BIND 9.20 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.16, which will be supported until at least December 2023. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.