Release Notes
Introduction
BIND 9.20 is a stable branch, suitable for production use. This document summarizes significant changes since the last production release on the 9.18 branch. Please see the Changelog file for a more detailed list of changes and bug fixes.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Known Issues
On some platforms, including FreeBSD,
named
must be run as root to use therndc
control channel on a privileged port (i.e., with a port number less than 1024; this includes the defaultrndc
port
, 953). Currently, using thenamed -u
option to switch to an unprivileged user makesrndc
unusable. This will be fixed in a future release; in the meantime,mac_portacl
can be used as a workaround, as documented in https://kb.isc.org/docs/aa-00621. [GL #4793]
Notes for BIND 9.20.1
New Features
Implement
rndc retransfer -force
.A new optional argument
-force
has been added to the commandrndc retransfer
. When it is specified,named
aborts the ongoing zone transfer (if there is one) and starts a new transfer. [GL #2299] [GL !9219]dig
now reports a missing QUESTION section for messages with opcode QUERY.Query responses should contain the QUESTION section, with some exceptions.
dig
was not reporting this. [GL #4808] [GL !9269]
Feature Changes
Tighten
max-recursion-queries
and addmax-query-restarts
configuration statement.There were cases when the
max-recursion-queries
quota was ineffective. It was possible to craft zones that would cause a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting errors in the implementation ofmax-recursion-queries
and by reducing the default value from 100 to 32.In addition, a new
max-query-restarts
configuration statement has been added, which limits the number of times a recursive server will follow CNAME or DNAME records before terminating resolution. This was previously a hard-coded limit of 16 but is now configurable with a default value of 11.ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. [GL #4741] [GL !9282]
Allow shorter
resolver-query-timeout
configuration.The minimum allowed value of
resolver-query-timeout
was lowered from its previous value of 10 000 milliseconds (which is still the default) to 301 milliseconds. Note however that values of 1 to 300 inclusive are interpreted as seconds before applying the limit. A value of zero is interpreted as the default. [GL #4320] [GL !9220]Raise the log level of priming failures.
When a priming query is complete, it was previously logged at level
DEBUG(1)
, regardless of success or failure. It is now logged toNOTICE
in the case of failure. [GL #3516] [GL !9250]
Bug Fixes
Fix a crash caused by valid TSIG signatures with invalid time.
An assertion failure was triggered when the TSIG had a valid cryptographic signature but the time was invalid. This could happen when the times between the primary and secondary servers were not synchronised. The crash has now been fixed. [GL #4811] [GL !9245]
Return SERVFAIL for a too long CNAME chain.
When following long CNAME chains,
named
was returning NOERROR (along with a partial answer) instead of SERVFAIL, if the chain exceeded the maximum length. This has been fixed. [GL #4449] [GL !9203]Reconfigure catz member zones during
named
reconfiguration.During a reconfiguration,
named
wasn’t reconfiguring catalog zones’ member zones. This has been fixed. [GL #4733]Update key lifetime and metadata after
dnssec-policy
reconfiguration.Adjust key state and timing metadata if
dnssec-policy
key lifetime configuration is updated, so that it also affects existing keys. [GL #4677] [GL !9191]Fix a crash during zone modification.
Fix an assertion failure that could happen when an authoritative zone was modified while the server was generating an answer from that zone. [GL #4691] [GL !9126]
Fix assertion failure when executing
named-checkconf -v
to print its version. [GL #4827] [GL !9246]Fix generation of 6to4-self name expansion from IPv4 address.
The period between the most significant nibble of the encoded IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the wrong name being checked. This has been fixed. [GL #4766] [GL !9217]
dig +yaml
was producing unexpected and/or invalid YAML. output. [GL #4796] [GL !9213]SVBC ALPN text parsing failed to reject zero-length ALPN. [GL #4775] [GL !9209]
Fix false QNAME minimisation error being reported.
Remove the false positive
success resolving
log message when QNAME minimisation is in effect and the final result is an NXDOMAIN. [GL #4784] [GL !9215]Fix
--enable-tracing
build on systems without dtrace.A missing
util/dtrace.sh
file prevented builds on systems without thedtrace
utility. This has been corrected. [GL #4835] [GL !9272]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.20.0
Note
This section only lists changes since BIND 9.18.28, the most recent release on the previous stable branch of BIND at the time of the publication of BIND 9.20.0.
New Features
The
forwarders
statement now supports thetls
argument, to be used to forward queries to DoT-enabled servers. [GL #3726]named
now supports forwarding Dynamic DNS updates through DNS-over-TLS (DoT). [GL #3512]The
nsupdate
tool now supports DNS-over-TLS (DoT). [GL !6752]The
tls
block was extended with a newcipher-suites
option that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. [GL #3504]Initial support for the PROXYv2 protocol was added.
named
can now accept PROXYv2 headers over all currently implemented DNS transports anddig
can insert these headers into the queries it sends. Please consult the related documentation (allow-proxy
,allow-proxy-on
,listen-on
, andlisten-on-v6
fornamed
,dig +proxy
anddig +proxy-plain
fordig
) for additional details. [GL #4388]The client-side support of the EDNS EXPIRE option has been expanded to include IXFR and AXFR query types. This enhancement enables
named
to perform AXFR and IXFR queries while incorporating the EDNS EXPIRE option. [GL #4170]A new configuration option
require-cookie
has been introduced. It specifies whether there should be a DNS COOKIE in the response for a given prefix; if not,named
falls back to TCP. This is useful if it is known that a given server supports DNS COOKIE. It can also be used to force all non-DNS COOKIE responses to fall back to TCP. [GL #2295]The
check-svcb
option has been added to control the checking of additional constraints on SVCB records. This change affectsnamed
,named-checkconf
,named-checkzone
,named-compilezone
, andnsupdate
. [GL #3576]The new
resolver-use-dns64
option enablesnamed
to applydns64
rules to IPv4 server addresses when sending recursive queries, so that resolution can be performed over a NAT64 connection. [GL #608]A new option to
dnssec-policy
has been added,cdnskey
, that allows users to enable or disable the publication of CDNSKEY records. [GL #4050]When using
dnssec-policy
, it is now possible to configure the digest type to use when CDS records need to be published withcds-digest-types
. Also, publication of specific CDNSKEY/CDS records can now be set withdnssec-signzone -G
. [GL #3837]Support for multi-signer model 2 (RFC 8901) when using
inline-signing
was added. [GL #2710]HSM support was added to
dnssec-policy
. Keys can now be configured with akey-store
that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. [GL #1129]A new DNSSEC tool
dnssec-ksr
has been added to create Key Signing Request (KSR) and Signed Key Response (SKR) files. [GL #1128]dnssec-verify
anddnssec-signzone
now accept a-J
option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]dnssec-keygen
now allows the options-k
and-f
to be used together. This allows the creation of keys for a givendnssec-policy
that match only the KSK (-fK
) or ZSK (-fZ
) roles. [GL #1128]The
response-policy
statement was extended with a new argumentede
. It enables an RFC 8914 Extended DNS Error (EDE) code of choice to be set for responses which have been modified by a given RPZ. [GL #3410]A new way of configuring the preferred source address when talking to remote servers, such as
primaries
andparental-agents
, has been added: setting thesource
and/orsource-v6
arguments for a given statement is now possible. This new approach is intended to eventually replace statements such asparental-source
,parental-source-v6
,transfer-source
, etc. [GL #3762]The new command-line
delv +ns
option activates name server mode, to more accurately reproduce the behavior ofnamed
when resolving a query. In this mode,delv
uses an internal recursive resolver rather than an external server. All messages sent and received during the resolution and validation process are logged. This can be used in place ofdig +trace
. [GL #3842]The read timeout in
rndc
can now be specified on the command line using the-t
option, allowing commands that take a long time to complete sufficient time to do so. [GL #4046]The statistics channel now includes information about incoming zone transfers that are currently in progress. [GL #3883]
Information on incoming zone transfers in the statistics channel now also shows the zones’ “first refresh” flag, which indicates that a zone is not fully ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the
rndc status
command. [GL #4241]Added a new statistics variable
recursive high-water
that reports the maximum number of simultaneous recursive clients BIND has handled while running. [GL #4668]A new command,
rndc fetchlimit
, prints a list of name server addresses that are currently rate-limited due tofetches-per-server
and domain names that are rate-limited due tofetches-per-zone
. [GL #665]Queries and responses now emit distinct dnstap entries for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), and
dnstap-read
understands these entries. [GL #4523]dnstap-read
can now print long timestamps with millisecond precision. [GL #2360]Support for libsystemd’s
sd_notify()
function was added, enablingnamed
to report its status to the init system. This allows systemd to wait untilnamed
is fully ready before starting other services that depend on name resolution. [GL #1176]Support for User Statically Defined Tracing (USDT) probes has been added. These probes enable fine-grained application tracing and introduce no overhead when they are not enabled. [GL #4041]
Removed Features
Support for Red Hat Enterprise Linux version 7 (and clones) has been dropped. A C11-compliant compiler is now required to compile BIND 9. [GL #3729]
Compiling with jemalloc versions older than 4.0.0 is no longer supported; those versions do not provide the features required by current BIND 9 releases. [GL #4296]
The
auto-dnssec
configuration statement has been removed. Please usednssec-policy
or manual signing instead. See article how to migrate fromauto-dnssec
todnssec-policy
.The following statements have become obsolete:
dnskey-sig-validity
,dnssec-dnskey-kskonly
,dnssec-update-mode
,sig-validity-interval
, andupdate-check-ksk
. [GL #3672]Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no longer trigger key rollovers and denial-of-existence operations. This also means that the
dnssec-secure-to-insecure
option has been obsoleted. [GL #3686]The
glue-cache
option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]Configuring the control channel to use a Unix domain socket has been a fatal error since BIND 9.18. The feature has now been completely removed and
named-checkconf
now reports it as a configuration error. [GL #4311]The statements setting alternate local addresses for inbound zone transfers (
alt-transfer-source
,alt-transfer-source-v6
, anduse-alt-transfer-source
) have been removed. [GL #3714]The
resolver-nonbackoff-tries
andresolver-retry-interval
statements have been removed. Using them is now a fatal error. [GL #4405]BIND 9 no longer supports non-zero
stale-answer-client-timeout
values, when the feature is turned on. When using a non-zero value,named
now generates a warning log message, and treats the value as0
. [GL #4447]The Differentiated Services Code Point (DSCP) feature has been removed: configuring DSCP values in
named.conf
is now a configuration error. [GL #3789]The
keep-response-order
option has been declared obsolete and the functionality has been removed.named
expects DNS clients to be fully compliant with RFC 7766. [GL #3140]Zone type
delegation-only
, and thedelegation-only
androot-delegation-only
statements, have been removed. Using them is a configuration error.These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. [GL #3953]
The
coresize
,datasize
,files
, andstacksize
options have been removed. The limits these options set should be enforced externally, either by manual configuration (e.g. usingulimit
) or via the process supervisor (e.g.systemd
). [GL #3676]Support for using AES as the DNS COOKIE algorithm (
cookie-algorithm aes;
) has been removed. The only supported DNS COOKIE algorithm is now the current default, SipHash-2-4. [GL #4421]The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been removed and using TKEY Mode 2 is now a fatal error. Users are advised to switch to TKEY Mode 3 (GSS-API). [GL #3905]
Special-case code that was originally added to allow GSS-TSIG to work around bugs in the Windows 2000 version of Active Directory has now been removed, since Windows 2000 is long past end-of-life. The
-o
option and theoldgsstsig
command tonsupdate
have been deprecated, and are now treated as synonyms for-g
andgsstsig
respectively. [GL #4012]Support for the
lock-file
statement and thenamed -X
command-line option has been removed. An external process supervisor should be used instead. [GL #4391]Alternatively, the
flock
utility (part of util-linux) can be used on Linux systems to achieve the same effect aslock-file
ornamed -X
:flock -n -x <directory>/named.lock <path>/named <arguments>
The
named
command-line option-U
, which specified the number of UDP dispatches, has been removed. Using it now returns a warning. [GL #1879]The
--with-tuning
option forconfigure
has been removed. Each of the compile-time settings that required different values based on the “workload” (which were previously affected by the value of the--with-tuning
option) has either been removed or changed to a sensible default. [GL #3664]The functions that were in the
libbind9
shared library have been moved to thelibisc
andlibisccfg
libraries. The now-emptylibbind9
has been removed and is no longer installed. [GL #3903]The
irs_resconf
module has been moved to thelibdns
shared library. The now-emptylibirs
library has been removed and is no longer installed. [GL #3904]
Deprecated Features
Features listed in this section still work but are scheduled for eventual removal.
The use of the
max-zone-ttl
option inoptions
andzone
blocks has been deprecated; it should now be configured as part ofdnssec-policy
. A warning is logged if this option is used inoptions
orzone
blocks. In a future release, it will become nonoperational. [GL #2918]The
sortlist
option has been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4593]The
fixed
value for therrset-order
option and the correspondingconfigure
script option have been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4446]
Feature Changes
BIND now depends on liburcu, Userspace RCU, for lock-free data structures. [GL #3934]
On Linux, libcap is now a required dependency to help
named
keep needed privileges. [GL #3583]Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. libuv should be available on all supported platforms either as a native package or as a backport. [GL #3567]
Outgoing zone transfers are no longer enabled by default. An explicit
allow-transfer
ACL must now be set at thezone
,view
, oroptions
level to enable outgoing transfers. [GL #4728]DNS zones signed using
dnssec-policy
now automatically detect their parent servers, and BIND queries them to check the content of the DS RRset. This allows DNSSEC key rollovers to safely and automatically proceed when the parent zone is updated with new DNSSEC keys, i.e. using the CDS/CDNSKEY mechanism. This behavior is facilitated by the newcheckds
feature, which automatically populatesparental-agents
by resolving the parent NS records. These parent name servers are queried to check the DS RRset during a KSK rollover initiated bydnssec-policy
. [GL #3901]The responsiveness of
named
was improved, when serving as an authoritative DNS server for a delegation-heavy zone(s) shortly after loading such zone(s). [GL #4045]To improve query-processing latency under load, the uninterrupted time spent on resolving long chains of cached domain names has been reduced. [GL #4185]
QNAME minimization is now used when looking up the addresses of name servers during the recursive resolution process. [GL #4209]
BIND now returns BADCOOKIE for out-of-date or otherwise bad but well-formed DNS server cookies. [GL #4194]
The DNS name compression algorithm used in BIND 9 has been revised: it now compresses more thoroughly than before, so responses containing names with many labels might have a smaller encoding than before. [GL #3661]
Processing large incremental transfers (IXFR) has been offloaded to a separate work thread so that it does not prevent networking threads from processing regular traffic in the meantime. [GL #4367]
Querying the statistics channel no longer blocks DNS communication on the networking event loop level. [GL #4680]
The
inline-signing
zone option is now ignored if there is nodnssec-policy
configured for the zone. This means that unsigned zones no longer create redundant signed versions of the zone. [GL #4349]The
inline-signing
statement can now also be set insidednssec-policy
. The built-in policiesdefault
andinsecure
enable the use ofinline-signing
. Ifinline-signing
is set at thezone
level, it overrides the value set indnssec-policy
. [GL #3677]Following RFC 9276 recommendations,
dnssec-policy
now only allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using NSEC3 that the policy manages. [GL #4363]The maximum number of NSEC3 iterations allowed for validation purposes has been lowered from 150 to 50. DNSSEC responses containing NSEC3 records with iteration counts greater than 50 are now treated as insecure. [GL #4363]
The
dnssec-validation yes
option now requires an explicitly configuredtrust-anchors
statement. If using manual trust anchors is not operationally required, then please consider usingdnssec-validation auto
instead. [GL #4373]named-compilezone
no longer performs zone integrity checks by default; this allows faster conversion of a zone file from one format to another. [GL #4364]Zone checks can be performed by running
named-checkzone
separately, or the previous default behavior can be restored by using:named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
The red-black tree data structure used in the RBTDB (the default database implementation for cache and zone databases), has been replaced with QP-tries. This is expected to improve performance and scalability, though in the current implementation large zones require roughly 15% more memory than the old red-black tree data structure.
A side effect of this change is that zone files that are created with
masterfile-style
relative
- for example, the output ofdnssec-signzone
- will no longer have multiple different $ORIGIN statements. There should be no other changes to server behavior.The old RBT-based database still exists for now, and can be used by specifying
database rbt
in azone
statement innamed.conf
, or by compiling withconfigure --with-zonedb=rbt --with-cachedb=rbt
. [GL #4411] [GL #4614]Multiple RNDC messages are now processed when sent in a single TCP message.
ISC would like to thank Dominik Thalhammer for reporting the issue and preparing the initial patch. [GL #4416]
The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by “+”, followed by the key ID: for example,
8+54274
. [GL #3525]The TTL of the NSEC3PARAM record for every NSEC3-signed zone was previously set to 0. It is now changed to match the SOA MINIMUM value for the given zone. [GL #3570]
On startup,
named
now sets the limit on the number of open files to the maximum allowed by the operating system, instead of trying to set it to “unlimited”. [GL #3676]When an international domain name is not valid according to IDNA2008,
dig
now tries to convert it according to IDNA2003 rules, or pass it through unchanged, instead of stopping with an error message. Theidna2
utility can be used to check IDNA syntax. [GL #3527]The memory statistics have been reduced to a single counter,
InUse
;Malloced
is an alias that holds the same value. The other counters were usable with the old BIND 9 internal memory allocator, but they are unnecessary now that the latter has been removed. [GL #3718]The log message
resolver priming query complete
has been moved from the INFO log level to the DEBUG(1) log level, to preventdelv
from emitting that message when setting up its internal resolver. [GL #3842]Worker threads’ event loops are now managed by a new “loop manager” API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. [GL #3508]
The code for DNS over TCP and DNS over TLS transports has been replaced with a new, unified transport implementation. [GL #3374]
Bug Fixes
When the same
notify-source
address and port number was configured for multiple destinations and zones, an unresponsive server could tie up the relevant network socket until it timed out; in the meantime, NOTIFY messages for other servers silently failed.named
will now retry sending such NOTIFY messages over TCP. Furthermore, NOTIFY failures are now logged at the INFO level. [GL #4001] [GL #4002]DNS compression is no longer applied to the root name (
.
) if it is repeatedly used in the same RRset. [GL #3423]named
could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. This has been fixed. [GL #1967]
Known Issues
On some platforms, including FreeBSD,
named
must be run as root to use therndc
control channel on a privileged port (i.e., with a port number less than 1024; this includes the defaultrndc
port
, 953). Currently, using thenamed -u
option to switch to an unprivileged user makesrndc
unusable. This will be fixed in a future release; in the meantime,mac_portacl
can be used as a workaround, as documented in https://kb.isc.org/docs/aa-00621. [GL #4793]See above for a list of all known issues affecting this BIND 9 branch.
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING
file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.20 is a stable branch, suitable for production use. After it has been in production use for a while it will be designated as an Extended Support Version (ESV). Until then, the current ESV is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.