BIND 9.7.0a2 is now available. BIND 9.7.0a2 is the second alpha release of BIND 9.7.0. Overview: This is a technology preview of new functionality to be included in BIND 9.7.0. Not all new functionality is in place. APIs and configuration syntax are not yet frozen. BIND 9.7 includes a number of changes from BIND 9.6 and earlier releases. Most are intended to simplify DNSSEC configuration. New features include: - Simplified configuration of DNSSEC Lookaside Validation (DLV). - Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "ddns-autoconf" zone option. (As a side effect, this also makes it easier to configure automatic zone re-signing.) - New named option "attach-cache" that allows multiple views to share a single cache. - DNS rebinding attack prevention. - New default values for dnssec-keygen parameters. - Support for RFC 5011 (automated trust anchor maintenance) - Smart signing: simplified tools for zone signing and key maintenance - The "statistics-channels" option is now enabled on Windows Additional features planned but not included in this alpha release: - Fully automatic signing of zones - Improved PKCS #11 support with improved documentation - Improved and extended libdns library BIND 9.7.0a2 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.7.0a2/bind-9.7.0a2.tar.gz The PGP signature of the distribution is at: ftp://ftp.isc.org/isc/bind9/9.7.0a2/bind-9.7.0a2.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/bind-9.7.0a2.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/bind-9.7.0a2.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.zip ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.debug.zip The PGP signature of the binary kit is at: ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0a2/BIND9.7.0a2.debug.zip.sha512.asc Changes since previous alpha (9.7.0a1): --- 9.7.0a2 released --- 2644. [bug] Change #2628 caused a regression on some systems; named was unable to write the PID file and would fail on startup. [RT #20001] 2643. [bug] Stub zones interacted badly with NSEC3 support. [RT #19777] 2642. [bug] nsupdate could dump core on solaris when reading improperly formatted key files. [RT #20015] 2641. [bug] Fixed an error in parsing update-policy syntax, added a regression test to check it. [RT #20007] 2640. [security] A specially crafted update packet will cause named to exit. [RT #20000] 2639. [bug] Silence compiler warnings in gssapi code. [RT #19954] 2638. [bug] Install arpaname. [RT #19957] 2637. [func] Rationalize dnssec-signzone's signwithkey() calling. [RT #19959] 2636. [func] Simplify zone signing and key maintenance with the dnssec-* tools. Major changes: - all dnssec-* tools now take a -K option to specify a directory in which key files will be stored - DNSSEC can now store metadata indicating when they are scheduled to be published, activated, revoked or removed; these values can be set by dnssec-keygen or overwritten by the new dnssec-settime command - dnssec-signzone -S (for "smart") option reads key metadata and uses it to determine automatically which keys to publish to the zone, use for signing, revoke, or remove from the zone [RT #19816] 2635. [bug] isc_inet_ntop() incorrectly handled 0.0/16 addresses. [RT #19716] 2634. [port] win32: Add support for libxml2, enable statschannel. [RT #19773] 2633. [bug] Handle 15 bit rand() functions. [RT #19783] 2632. [func] util/kit.sh: warn if documentation appears to be out of date. [RT #19922] 2631. [bug] Handle "//", "/./" and "/../" in mkdirpath(). [RT #19926 ] 2630. [func] Improved syntax for DDNS autoconfiguration: use "update-policy local;" to switch on local DDNS in a zone. [RT #19875] 2629. [port] Check for seteuid()/setegid(), use setresuid()/ setresgid() if not present. [RT #19932] 2628. [port] linux: Allow /var/run/named/named.pid to be opened at startup with reduced capabilities in operation. [RT #19884] 2627. [bug] Named aborted if the same key was included in trusted-keys more than once. [RT #19918] 2626. [bug] Multiple trusted-keys could trigger an assertion failure. [RT #19914] 2625. [bug] Missing UNLOCK in rbtdb.c. [RT #19865] 2624. [func] 'named-checkconf -p' will print out the parsed configuration. [RT #18871] 2623. [bug] Named started seaches for DS non-optimally. [RT #19915] 2622. [bug] Printing of named.conf grammar was broken. [RT #19919] 2621. [doc] Made copyright boilterplate consistent. [RT #19833] 2620. [bug] Delay thawing the zone until the reload of it has completed successfully. [RT #19750] 2619. [func] Add support for RFC 5011, automatic trust anchor maintenance. The new "managed-keys" statement can be used in place of "trusted-keys" for zones which support this protocol. (Note: this syntax is expected to change prior to 9.7.0 final.) [RT #19248] 2618. [bug] The sdb and sdlz db_interator_seek() methods could loop infinitely. [RT #19847] 2617. [bug] ifconfig.sh failed to emit an error message when run from the wrong location. [RT #19375] 2616. [bug] 'host' used the nameservers from resolv.conf even when a explicit nameserver was specified. [RT #19852] 2615. [bug] "__attribute__((unused))" was in the wrong place for ia64 gcc builds. [RT #19854] 2614. [port] win32: 'named -v' should automatically be executed in the foreground. [RT #19844] 2613. [placeholder]