Release Notes

Introduction

BIND 9.21 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.22 release, this document will be updated with additional features added and bugs fixed. Please see the Changelog file for a more detailed list of changes and bug fixes.

Supported Platforms

See the Supported Platforms section in the Resource Requirements chapter.

Download

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Known Issues

  • There are no known issues affecting this BIND 9 branch.

Notes for BIND 9.21.2

New Features

  • Log query response status to the query log.

    Log a query response summary using the new responses category. Logging can be controlled via the responselog option and via rndc responselog. [GL #459]

  • Added WALLET type.

    Add the new record type WALLET (262). This provides a mapping from a domain name to a cryptographic currency wallet. Multiple mappings can exist if multiple records exist. [GL #4947]

  • Support ISO timestamps with timezone information.

    The configuration option print-time can now be set to iso8601-tzinfo, to use the ISO 8601 timestamp with timezone information when logging. This is used as a default for named -g. [GL #4963]

  • Add flag to named-checkconf to ignore “not configured” errors.

    named-checkconf now takes the named-checkconf -n option to ignore “not configured” errors. This allows named-checkconf to check the syntax of configurations from other builds that have support for options not present in the named-checkconf build. [GL !9446]

  • Implement the ForwardOnlyFail statistics channel counter.

    The new ForwardOnlyFail statistics channel counter indicates the number of queries that failed due to bad forwarders for “forward only” zones. Related to [GL #1793].

Removed Features

  • Remove port from source address options.

    Remove the use of port when configuring query-source, transfer-source, notify-source, parental-source, etc., and their -v6 counterparts. Also, remove the use of source ports for parental-agents.

    Also remove the deprecated options use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports. [GL #3843]

  • Remove DNSRPS implementation from the open source version of BIND 9.

    DNSRPS was a reputedly improved API for a commercial implementation of Response Policy Zones; however, it was never open-sourced and has only ever been available from a single vendor. This goes against the principle that the open source edition of BIND 9 should contain only features that are generally available and universal. [GL !9358]

Feature Changes

  • Set logging category for notify/xfer-in-related messages.

    Some notify and xfer-in-related log messages were logged at the “general” category level instead of their own category. This has been fixed. [GL #2730]

  • Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.

    This change allows fallback from an IXFR failure to AXFR when the reason is DNS_R_TOOMANYRECORDS. [GL #4928]

  • Honor the Control Group memory contraints on Linux.

    On Linux, the system administrator can use the Control Group (cgroup) mechanism to limit the amount of memory available to the process. This limit is now honored when calculating the percentage-based values. [GL !9556]

Bug Fixes

  • Fix a statistics channel counter bug when “forward only” zones are used.

    When resolving a zone with a “forward only” policy, and finding out that all the forwarders were marked as “bad”, the “ServerQuota” counter of the statistics channel was incorrectly increased. This has been fixed. [GL #1793]

  • Fix a bug in the static-stub implementation.

    Static-stub addresses and addresses from other sources were being mixed together, resulting in static-stub queries going to addresses not specified in the configuration, or alternatively, static-stub addresses being used instead of the correct server addresses. [GL #4850]

  • Don’t allow statistics-channels if libxml2 and libjson-c are not configured.

    When BIND 9 is not configured with the libxml2 and libjson-c libraries, the use of the statistics-channels option is a fatal error. [GL #4895]

  • Separate DNSSEC validation from long-running tasks.

    Split CPU-intensive and long-running tasks into separate threadpools in a way that the long-running tasks - like RPZ, catalog zone processing, or zone file operations - don’t block CPU-intensive operations like DNSSEC validations. [GL #4898]

  • Fix an assertion failure when processing access control lists.

    The named process could terminate unexpectedly when processing ACLs. This has been fixed. [GL #4908]

  • Fix a bug in Offline KSK using a ZSK with an unlimited lifetime.

    If the ZSK had an unlimited lifetime, the timing metadata Inactive and Delete could not be found and were treated as an error, preventing the zone from being signed. This has been fixed. [GL #4914]

  • Limit the outgoing UDP send queue size.

    If the operating system UDP queue got full and the outgoing UDP sending started to be delayed, BIND 9 could exhibit memory spikes as it tried to enqueue all the outgoing UDP messages. It now tries to deliver the outgoing UDP messages synchronously; if that fails, it drops the outgoing DNS message that would get queued up and then timeout on the client side. [GL #4930]

  • Do not set SO_INCOMING_CPU.

    Remove the SO_INCOMING_CPU setting as kernel scheduling performs better without constraints. [GL #4936]

  • Fix the rndc dumpdb command’s error reporting.

    The rndc dumpdb command was not reporting errors that occurred when named started up the database dump process. This has been fixed. [GL #4944]

  • Fix long-running incoming transfers.

    Incoming transfers that took longer than 30 seconds would stop reading from the TCP stream and the incoming transfer would be indefinitely stuck, causing BIND 9 to hang during shutdown.

    This has been fixed, and the max-transfer-time-in and max-transfer-idle-in timeouts are now honored. [GL #4949]

  • Fix an assertion failure when receiving DNS responses over TCP.

    When matching the received Query ID in the TCP connection, an invalid Query ID could cause an assertion failure. This has been fixed. [GL #4952]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.21.1

New Features

  • Support for Offline KSK implemented.

    Add a new configuration option offline-ksk to enable Offline KSK key management. Signed Key Response (SKR) files created with dnssec-ksr (or other programs) can now be imported into named with the new rndc skr -import command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and generating signatures covering these types, these records are loaded from the currently active bundle from the imported SKR.

    The implementation is loosely based on draft-icann-dnssec-keymgmt-01.txt. [GL #1128]

  • Allow limiting the number of differences in IXFR.

    A new request-ixfr-max-diffs configuration option can set the maximum number of incoming incremental zone transfer (IXFR) differences. Exceeding it triggers a full zone transfer (AXFR). [GL #4389]

  • Print the full path of the working directory in startup log messages.

    named now prints its initial working directory during startup, and the changed working directory when loading or reloading its configuration file, if it has a valid directory option defined. [GL #4731]

  • Support a restricted key tag range when generating new keys.

    When multiple signers are being used to sign a zone, it is useful to be able to specify a restricted range of key tags to be used by an operator to sign the zone. The range can be specified with tag-range in dnssec-policy’s keys (for named and dnssec-ksr) and with the new options dnssec-keyfromlabel -M and dnssec-keygen -M. [GL #4830]

Removed Features

  • Remove the dialup and heartbeat-interval options.

    The dialup and heartbeat-interval options have been removed, along with all code implementing them. Using these options is now a fatal error. [GL #4237]

Feature Changes

  • Use deterministic ECDSA for OpenSSL >= 3.2.

    OpenSSL has added support for deterministic ECDSA (RFC 6979) with version 3.2.

    It is used by default, as it removes arguably its most fragile side of ECDSA. The derandomization does not pose a risk for DNS usecases and is allowed by FIPS 186-5. [GL #299]

  • Exempt prefetches from the fetches-per-zone and fetches-per-server quotas.

    Fetches generated automatically as a result of prefetch are now exempt from the fetches-per-zone and fetches-per-server quotas. This should help in maintaining the cache from which query responses can be given. [GL #4219]

  • Follow the number of CPUs set by taskset/cpuset.

    Administrators may wish to constrain the set of cores that named runs on via the taskset, cpuset, or numactl programs (or equivalents on other OSes).

    If the admin has used taskset, named now automatically uses the given number of CPUs rather than the system-wide count. [GL #4884]

Bug Fixes

  • Delay the release of root privileges until after configuring controls.

    Delay relinquishing root privileges until the control channel has been configured, for the benefit of systems that require root to use privileged port numbers. This mostly affects systems without fine- grained privilege systems (i.e., other than Linux). [GL #4793]

  • Fix a rare assertion failure when shutting down incoming transfer.

    A very rare assertion failure could be triggered when the incoming transfer was either forcefully shut down, or it finished during the printing of the details about the statistics channel. This has been fixed. [GL #4860]

  • Fix algorithm rollover bug when there are two keys with the same keytag.

    If there was an algorithm rollover and two keys of different algorithms shared the same keytags, there was the possibility that the check of whether the key matched a specific state could be performed against the wrong key. This has been fixed by not only checking for the matching key tag but also the key algorithm. [GL #4878]

  • Fix an assertion failure in validate_dnskey_dsset_done().

    Under rare circumstances, named could terminate unexpectedly when validating a DNSKEY resource record if the validation had been canceled in the meantime. This has been fixed. [GL #4911]

Known Issues

  • Long-running tasks in offloaded threads (e.g. loading RPZ zones or processing zone transfers) may block the resolution of queries during these operations and cause the queries to time out.

    To work around the issue, the UV_THREADPOOL_SIZE environment variable can be set to a larger value before starting named. The recommended value is the number of RPZ zones (or number of transfers) plus the number of threads BIND should use, which is typically the number of CPUs. [GL #4898]

Notes for BIND 9.21.0

New Features

  • Implement rndc retransfer -force.

    A new optional argument -force has been added to the command rndc retransfer. When it is specified, named aborts the ongoing zone transfer (if there is one) and starts a new transfer. [GL #2299] [GL !9102]

  • Add support for external log rotation tools.

    Add two mechanisms to close open log files. The first is rndc closelogs. The second is kill -USR1 <pid>. They are intended to be used with external log rotation tools. [GL #4780] [GL !9113]

  • dig now reports a missing QUESTION section for messages with opcode QUERY.

    Query responses should contain the QUESTION section, with some exceptions. dig was not reporting this. [GL #4808] [GL !9233]

Removed Features

  • Remove OpenSSL 1.x engine support.

    OpenSSL 1.x engine support has been deprecated in OpenSSL 3.x and is going to be removed from the OpenSSL code base. Remove OpenSSL engine support from BIND 9 in favor of OpenSSL 3.x providers. [GL #4828] [GL !9252]

Feature Changes

  • Require at least OpenSSL 1.1.1.

    OpenSSL 1.1.1 or newer (or an equivalent LibreSSL version) is now required to compile BIND 9. [GL #2806] [GL !9110]

  • Tighten max-recursion-queries and add max-query-restarts configuration statement.

    There were cases when the max-recursion-queries quota was ineffective. It was possible to craft zones that would cause a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting errors in the implementation of max-recursion-queries and by reducing the default value from 100 to 32.

    In addition, a new max-query-restarts configuration statement has been added, which limits the number of times a recursive server will follow CNAME or DNAME records before terminating resolution. This was previously a hard-coded limit of 16 but is now configurable with a default value of 11.

    ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. [GL #4741] [GL !9281]

  • Allow shorter resolver-query-timeout configuration.

    The minimum allowed value of resolver-query-timeout was lowered from its previous value of 10 000 milliseconds (which is still the default) to 301 milliseconds. Note however that values of 1 to 300 inclusive are interpreted as seconds before applying the limit. A value of zero is interpreted as the default. [GL #4320] [GL !9091]

  • Raise the log level of priming failures.

    When a priming query is complete, it was previously logged at level DEBUG(1), regardless of success or failure. It is now logged to NOTICE in the case of failure. [GL #3516] [GL !9121]

Bug Fixes

  • Fix a crash caused by valid TSIG signatures with invalid time.

    An assertion failure was triggered when the TSIG had a valid cryptographic signature but the time was invalid. This could happen when the times between the primary and secondary servers were not synchronised. The crash has now been fixed. [GL #4811] [GL !9234]

  • Return SERVFAIL for a too long CNAME chain.

    When following long CNAME chains, named was returning NOERROR (along with a partial answer) instead of SERVFAIL, if the chain exceeded the maximum length. This has been fixed. [GL #4449] [GL !9090]

  • Reconfigure catz member zones during named reconfiguration.

    During a reconfiguration, named wasn’t reconfiguring catalog zones’ member zones. This has been fixed. [GL #4733]

  • Update key lifetime and metadata after dnssec-policy reconfiguration.

    Adjust key state and timing metadata if dnssec-policy key lifetime configuration is updated, so that it also affects existing keys. [GL #4677] [GL !9118]

  • Fix a crash during zone modification.

    Fix an assertion failure that could happen when an authoritative zone was modified while the server was generating an answer from that zone. [GL #4691] [GL !9126]

  • Fix assertion failure when executing named-checkconf -v to print its version. [GL #4827] [GL !9243]

  • Fix generation of 6to4-self name expansion from IPv4 address.

    The period between the most significant nibble of the encoded IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the wrong name being checked. This has been fixed. [GL #4766] [GL !9099]

  • dig +yaml was producing unexpected and/or invalid YAML. output. [GL #4796] [GL !9127]

  • SVBC ALPN text parsing failed to reject zero-length ALPN. [GL #4775] [GL !9106]

  • Fix false QNAME minimisation error being reported.

    Remove the false positive success resolving log message when QNAME minimisation is in effect and the final result is an NXDOMAIN. [GL #4784] [GL !9117]

  • Fix --enable-tracing build on systems without dtrace.

    A missing util/dtrace.sh file prevented builds on systems without the dtrace utility. This has been corrected. [GL #4835] [GL !9262]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

License

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

End of Life

BIND 9.21 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.22, which will be a stable branch. The end-of-life date for BIND 9.22 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible.