__________________________________________________________________ Introduction BIND 9.8.1b1 is the first beta release of BIND 9.8.1, a maintenance release for BIND 9.8. Please see the CHANGES file in the source code release for a complete list of all changes. See below for a list of changes since 9.8.0. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/all. There you will find additional information about each release, source code, and pre-compiled versions for certain operating systems. Support Product support information is available on http://www.isc.org/services/support for paid support options. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://lists.isc.org/mailman/listinfo. Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/supportisc. Known issues in this release: * Named can fail to return a complete CNAME chain when the CNAME record and its target are both within zones for which the server is authoritative. This only happens when named is configured to be recursive as well as authoritative, and only effects recursive clients. The failure happens infrequently, but once it has started happening the only fix is to restart named. The bug was fixed too late for inclusion in this beta release, but it will be included in the next release. All changes since 9.8.0: 3112. [doc] Add missing descriptions of the update policy name types "ms-self", "ms-subdomain", "krb5-self" and "krb5-subdomain", which allow machines to update their own records, to the BIND 9 ARM. 3111. [bug] Improved consistency checks for dnssec-enable and dnssec-validation, added test cases to the checkconf system test. [RT #24398] 3110. [bug] dnssec-signzone: Wrong error message could appear when attempting to sign with no KSK. [RT #24369] 3107. [bug] dnssec-signzone: Report the correct number of ZSKs when using -x. [RT #20852] 3105. [bug] GOST support can be suppressed by "configure --without-gost" [RT #24367] 3104. [bug] Better support for cross-compiling. [RT #24367] 3103. [bug] Configuring 'dnssec-validation auto' in a view instead of in the options statement could trigger an assertion failure in named-checkconf. [RT #24382] 3101. [bug] Zones using automatic key maintenance could fail to check the key repository for updates. [RT #23744] 3100. [security] Certain response policy zone configurations could trigger an INSIST when receiving a query of type RRSIG. [RT #24280] 3099. [test] "dlz" system test now runs but gives R:SKIPPED if not compiled with --with-dlz-filesystem. [RT #24146] 3098. [bug] DLZ zones were answering without setting the AA bit. [RT #24146] 3097. [test] Add a tool to test handling of malformed packets. [RT #24096] 3096. [bug] Set KRB5_KTNAME before calling log_cred() in dst_gssapi_acceptctx(). [RT #24004] 3095. [bug] Handle isolated reserved ports in the port range. [RT #23957] 3094. [doc] Expand dns64 documentation. 3093. [bug] Fix gssapi/kerberos dependencies [RT #23836] 3092. [bug] Signatures for records at the zone apex could go stale due to an incorrect timer setting. [RT #23769] 3091. [bug] Fixed a bug in which zone keys that were published and then subsequently activated could fail to trigger automatic signing. [RT #22911] 3090. [func] Make --with-gssapi default [RT #23738] 3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf and add setup.sh in order to resolve changing named.conf issue. [RT #23687] 3087. [bug] DDNS updates using SIG(0) with update-policy match type "external" could cause a crash. [RT #23735] 3086. [bug] Running dnssec-settime -f on an old-style key will now force an update to the new key format even if no other change has been specified, using "-P now -A now" as default values. [RT #22474] 3083. [bug] NOTIFY messages were not being sent when generating a NSEC3 chain incrementally. [RT #23702] 3082. [port] strtok_r is threads only. [RT #23747] 3081. [bug] Failure of DNAME substitution did not return YXDOMAIN. [RT #23591] 3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS. [RT #23587] 3079. [bug] Handle isc_event_allocate failures in t_tasks. [RT #23572] 3078. [func] Added a new include file with function typedefs for the DLZ "dlopen" driver. [RT #23629] 3077. [bug] zone.c:zone_refreshkeys() incorrectly called dns_zone_attach(), use zone->irefs instead. [RT #23303] 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant timestamp when determining which keys are active. [RT #23642] 3074. [bug] Make the adb cache read through for zone data and glue learn for zone named is authoritative for. [RT #22842] 3073. [bug] managed-keys changes were not properly being recorded. [RT #20256] 3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference. [RT #20256] 3071. [bug] has_nsec could be used unintialised in update.c:next_active. [RT #20256] 3070. [bug] dnssec-signzone potential NULL pointer dereference. [RT #20256] 3069. [cleanup] Silence warnings messages from clang static analysis. [RT #20256] 3068. [bug] Named failed to build with a OpenSSL without engine support. [RT #23473] 3067. [bug] ixfr-from-differences {master|slave}; failed to select the master/slave zones. [RT #23580] 3066. [func] The DLZ "dlopen" driver is now built by default, no longer requiring a configure option. To disable it, use "configure --without-dlopen". (Note: driver not supported on win32.) [RT #23467] 3065. [bug] RRSIG could have time stamps too far in the future. [RT #23356] 3064. [bug] powerpc: add sync instructions to the end of atomic operations. [RT #23469] 3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402] 3059. [test] Added a regression test for change #3023. 3058. [bug] Cause named to terminate at startup or rndc reconfig/ reload to fail, if a log file specified in the conf file isn't a plain file. [RT #22771] 3057. [bug] "rndc secroots" would abort after the first error and so could miss some views. [RT #23488] 3054. [bug] Added elliptic curve support check in GOST OpenSSL engine detection. [RT #23485] 3053. [bug] Under a sustained high query load with a finite max-cache-size, it was possible for cache memory to be exhausted and not recovered. [RT #23371] 3052. [test] Fixed last autosign test report. [RT #23256] 3051. [bug] NS records obsure DNAME records at the bottom of the zone if both are present. [RT #23035] 3050. [bug] The autosign system test was timing dependent. Wait for the initial autosigning to complete before running the rest of the test. [RT #23035] 3049. [bug] Save and restore the gid when creating creating named.pid at startup. [RT #23290] 3048. [bug] Fully separate view key mangement. [RT #23419] 3047. [bug] DNSKEY NODATA responses not cached fixed in validator.c. Tests added to dnssec system test. [RT #22908] 3046. [bug] Use RRSIG original TTL to compute validated RRset and RRSIG TTL. [RT #23332] 3044. [bug] Hold the socket manager lock while freeing the socket. [RT #23333] 3043. [test] Merged in the NetBSD ATF test framework (currently version 0.12) for development of future unit tests. Use configure --with-atf to build ATF internally or configure --with-atf=prefix to use an external copy. [RT #23209] 3042. [bug] dig +trace could fail attempting to use IPv6 addresses on systems with only IPv4 connectivity. [RT #23297] 3041. [bug] dnssec-signzone failed to generate new signatures on ttl changes. [RT #23330] 3040. [bug] Named failed to validate insecure zones where a node with a CNAME existed between the trust anchor and the top of the zone. [RT #23338] 3038. [bug] Install . [RT #23342] 3037. [doc] Update COPYRIGHT to contain all the individual copyright notices that cover various parts. 3036. [bug] Check built-in zone arguments to see if the zone is re-usable or not. [RT #21914] 3035. [cleanup] Simplify by using strlcpy. [RT #22521] 3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521] 3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET). [RT #22521] 3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521] 3031. [bug] dns_rdataclass_format() handle a zero sized buffer. [RT #22521] 3030. [bug] dns_rdatatype_format() handle a zero sized buffer. [RT #22521] 3029. [bug] isc_netaddr_format() handle a zero sized buffer. [RT #22521] 3028. [bug] isc_sockaddr_format() handle a zero sized buffer. [RT #22521] 3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to catch NULL pointer dereferences before they happen. [RT #22521] 3026. [bug] lib/isc/httpd.c: check that we have enough space after calling grow_headerspace() and if not re-call grow_headerspace() until we do. [RT #22521]