BIND 9.4.0a5 is now available.
BIND 9.4.0a5 is a alpha release for BIND 9.4.0.
This is the first public alpha release for 9.4.0.
If we have promised you that a bugfix will be included in 9.4.0
and it is not in this release please let us know by mailing
to bind9-bugs (AT) isc (DOT) org.
Please as a minimum perform a test build on your operating
system. We don't have test platforms for every operating
system and sometimes we accidently break builds. Now is
the time to tell us about that.
Now is also the last time to report bugs not introduced in
this release cycle. we go to beta we concentrate on
removing bugs introduced in this release cycle. The aim
is to be better than and definitely no worse than the last
release. Bugs should be reported to bind9-bugs (AT) isc (DOT) org.
BIND 9.4 has a number of new features over 9.3, including:
Implemented "additional section caching" (or "acache"), an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
New notify type 'master-only'. Enable notify for master
zones only.
Accept 'notify-source' style syntax for query-source.
rndc now allows addresses to be set in the server clauses.
New option "allow-query-cache". This lets allow-query be
used to specify the default zone access level rather than
having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels. If allow-query-cache is not set allow-query applies.
rndc: the source address can now be specified.
ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.
Allow the journal's name to be changed via named.conf.
'rndc notify zone [class [view]]' resend the NTIFY messages
for the specified zone.
'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.
Improve check-names error messages.
Make public the function to read a key file, dst_key_read_public().
dig now returns the byte count for axfr/ixfr.
allow-update is now settable at the options / view level.
named-checkconf now checks the logging configuration.
host now can turn on memory debugging flags with '-m'.
Don't send notify messages to self.
Perform sanity checks on NS records which refer to 'in zone' names.
New zone option "notify-delay". Specify a minimum delay
between sets of NTIFY messages.
Extend adjusting TTL warning messages.
Named and named-checkzone can now both check for non-terminal
wildcard records.
"rndc freeze/thaw" now freezes/thaws all zones.
named-checkconf now check acls to verify that they only
refer to existing acls.
The server syntax has been extended to support a range of
servers.
Report differences between hints and real NS rrset and
associated address records.
Preserve the case of domain names in rdata during zone
transfers.
Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.
UNIX domain controls are now supported.
Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and
options for dnssec-signzone specify the input and output
formats.
dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).
Add support for CH A record.
Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
Added framework for handling multiple EDNS versions.
Additional memory debugging support to track size and mctx
arguments.
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
Memory management. "USE INTERNAL MALLC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtypebasis
as some servers only appear to be lame for certain query
types.
Limit the number of recursive clients that can be waiting
for a single query (<qname,qtype,qclass>) to resolve. New
options clients-per-query and max-clients-per-query.
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have separate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contributed DLZ code into named.
Integrate contributed IDN code from JPNIC.
Validate pending NS RRsets, in the authority section, prior
to returning them if it can be done without requiring DNSKEYs
to be fetched.
It is now possible to configure named to accept expired
RRSIGs. Default "dnssec-accept-expired no;". Setting
"dnssec-accept-expired yes;" leaves named vulnerable to
replay attacks.
Addition memory leakage checks.
The maximum EDNS UDP response named will send can now be
set in named.conf (max-udp-size). This is independent of
the advertised receive buffer (edns-udp-size).
Named now falls back to advertising EDNS with a 512 byte
receive buffer if the initial EDNS queries fail.
Control the zeroing of the negative response TTL to a soa
query. Defaults "zero-no-soa-ttl yes;" and
"zero-no-soa-ttl-cache no;".
Seperate out MX and SRV to CNAME checks.
dig/nslookup/host: warn about missing "QR".
TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support.
dnssec-signzone: output the SA record as the first record
in the signed zone.
Two new update policies. "selfsub" and "selfwild".
dig, nslookup and host now advertise a 4096 byte EDNS UDP
buffer size by default.
Report when a zone is removed.
DS/DLV SHA256 digest algorithm support.
Implement "rrset-order fixed".
Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;".
It is now possible to explicitly enable DNSSEC validation.
default dnssec-validation no; to be changed to yes in 9.5.0.
It is now posssible to enable/disable DNSSEC validation
from rndc. This is useful for the mobile hosts where the
current connection point breaks DNSSEC (firewall/proxy).
rndc validation newstate [view]
dnssec-signzone can now update the SA record of the signed
zone, either as an increment or as the system time().
Statistics about acache now recorded and sent to log.
libbind: corresponds to that from BIND 8.4.7.
BIND 9.4.0a5 can be downloaded from
The PGP signatures of the distribution are at
The signatures were generated with the ISC public key, which is
available at <>.
A binary kit for Windows NT 4.0, Windows 2000, Windows XP and Window 2003 is at
The PGP signatures of the binary kit for Windows NT 4.0, Windows 2000,
Windows XP and Window 2003 are at
Changes since 9.4.0a1.
9.4.0a5 released
2015.[cleanup]use-additional-cache is now acache-enable for
consistancy. Default acache-enable off in BIND 9.4
as it requires memory usage to be configured.
It may be enabled by default in BIND 9.5 once we
have more experience with it.
2014.[func]Statistics about acache now recorded and sent
to log. [RT #15976]
2013.[bug]Handle unexpected TSIGs on unsigned AXFR/IXFR
responses more gracefully. [RT #15941]
2012.[func]Don't insert new acache entries if acache is full.
[RT #15970]
2011.[func]dnssec-signzone can now update the SA record of
the signed zone, either as an increment or as the
system time(). [RT #15633]
9.4.0a4 released
2009.[bug]libbind: coverity fixes. [RT #15808]
2008.[func]It is now posssible to enable/disable DNSSEC
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]
rndc validation newstate [view]
2007.[func]It is now possible to explicitly enable DNSSEC
validation. default dnssec-validation no; to
be changed to yes in 9.5.0. [RT #15674]
2006.[security]Allow-query-cache and allow-recursion now default
to the builtin acls "localnets" and "localhost".
This is being done to make caching servers less
attractive as reflective amplifying targets for
spoofed traffic. This still leave authoritative
servers exposed.
The best fix is for full BCP 38 deployment to
remove spoofed traffic.
2005.[bug]libbind: Retransmission timeouts should be
based on which attempt it is to the nameserver
and not the nameserver itself. [RT #13548]
2004.[bug]dns_tsig_sign() could pass a NULL pointer to
dst_context_destroy() when cleaning up after a
error. [RT #15835]
2003.[bug]libbind: The DNS name/address lookup functions could
occasionally follow a random pointer due to
structures not being completely zeroed. [RT #15806]
2002.[bug]libbind: tighten the constraints on when
struct addrinfo._ai_pad exists. [RT #15783]
2001.[func]Check the KSK flag when updating a secure dynamic zone.
New zone option "update-check-ksk yes;". [RT #15817]
2000.[bug]memmove()/strtol() fix was incomplete. [RT #15812]
1999.[func]Implement "rrset-order fixed". [RT #13662]
1998.[bug]Restrict handling of fifos as sockets to just SS.
This allows named to connect to entropy gathering
daemons that use fifos instead of sockets. [RT #15840]
1997.[bug]Named was failing to replace negative cache entries
when a positive one for the type was learnt.
[RT #15818]
1996.[bug]nsupdate: if a zone has been specified it should
appear in the output of 'show'. [RT #15797]
1995.[bug]'host' was reporting multiple "is an alias" messages.
[RT #15702]
1994.[port]SSL 0.9.8 support. [RT #15694]
1993.[bug]Log messsage, via syslog, were missing the space
after the timestamp if "print-time yes" was specified.
[RT #15844]
1992.[bug]Not all incoming zone transfer messages included the
view. [RT #15825]
1991.[cleanup]The configuration data, once read, should be treated
as readonly. Expand the use of const to enforce this
at compile time. [RT #15813]
1990.[bug]libbind: isc's override of broken gettimeofday()
implementions was not always effective.
[RT #15709]
1989.[bug]win32: don't check the service password when
re-installing. [RT #15882]
1988.[bug]Remove a bus error from the SHA256/SHA512 support.
[RT #15878]
1987.[func]DS/DLV SHA256 digest algorithm support. [RT #15608]
1986.[func]Report when a zone is removed. [RT #15849]
1985.[protocol]DLV has now been assigned a official type code of
32769. [RT #15807]
Note: care should be taken to ensure you upgrade
both named and dnssec-signzone at the same time for
zones with DLV records where named is the master
server for the zone. Also any zones that contain
DLV records should be removed when upgrading a slave
zone. You do not however have to upgrade all
servers for a zone with DLV records simultaniously.
1984.[func]dig, nslookup and host now advertise a 4096 byte
EDNS UDP buffer size by default. [RT #15855]
1983.[func]Two new update policies. "selfsub" and "selfwild".
[RT #12895]
1982.[bug]DNSKEY was being accepted on the parent side of
a delegation. KEY is still accepted there for
RFC 3007 validated updates. [RT #15620]
1981.[bug]win32: condition.c:wait() could fail to reattain
the mutex lock.
1980.[func]dnssec-signzone: output the SA record as the
first record in the signed zone. [RT #15758]
1979.[port]linux: allow named to drop core after changing
user ids. [RT #15753]
1978.[port]Handle systems which have a broken recvmsg().
[RT #15742]
1977.[bug]Silence noisy log message. [RT #15704]
1976.[bug]Handle systems with no IPv4 addresses. [RT #15695]
1975.[bug]libbind: isc_gethexstring() could misparse multi-line
hex strings with comments. [RT #15814]
1974.[doc]List each of the zone types and associated zone
options seperately in the ARM.
1973.[func]TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
1972.[contrib]DBUS dynamic forwarders integation from
Jason Vas Dias <jvdias (AT) redhat (DOT) com>.
1971.[port]linux: make detection of missing IF_NAMESIZE more
robust. [RT #15443]
1970.[bug]nsupdate: adjust UDP timeout when falling back to
unsigned SA query. [RT #15775]
1969.[bug]win32: the socket code was freeing the socket
structure too early. [RT #15776]
1968.[bug]Missing lock in resolver.c:validated(). [RT #15739]
1967.[func]dig/nslookup/host: warn about missing "QR". [RT #15779]
1966.[bug]Don't set CD when we have fallen back to plain DNS.
[RT #15727]
1965.[func]Suppress spurious "recusion requested but not
available" warning with 'dig +qr'. [RT #15780].
1964.[func]Seperate out MX and SRV to CNAME checks. [RT #15723]
1963.[port]Tru64 4.0E doesn't support send() and recv().
[RT #15586]
1962.[bug]Named failed to clear old update-policy when it
was removed. [RT #15491]
1961.[bug]Check the port and address of responses forwarded
to dispatch. [RT #15474]
1960.[bug]Update code should set NSEC ttls from SA MINIMUM.
[RT #15465]
1959.[func]Control the zeroing of the negative response TTL to
a soa query. Defaults "zero-no-soa-ttl yes;" and
"zero-no-soa-ttl-cache no;". [RT #15460]
1958.[bug]Named failed to update the zone's secure state
until the zone was reloaded. [RT #15412]
1957.[bug]Dig mishandled responses to class ANY queries.
[RT #15402]
1956.[bug]Improve cross compile support, 'gen' is now built
by native compiler. See README for additional
cross compile support information. [RT #15148]
1955.[bug]Pre-allocate the cache cleaning interator. [RT #14998]
1954.[func]Named now falls back to advertising EDNS with a
512 byte receive buffer if the initial EDNS queries
fail. [RT #14852]
1953.[func]The maximum EDNS UDP response named will send can
now be set in named.conf (max-udp-size). This is
independent of the advertised receive buffer
(edns-udp-size). [RT #14852]
1952.[port]hpux: tell the linker to build a runtime link
path "-Wl,+b:". [RT #14816].
1951.[security]Drop queries from particular well known ports.
Don't return FRMERR to queries from particular
well known ports. [RT #15636]
1950.[port]Solaris 2.5.1 and earlier cannot bind() then connect()
a TCP socket. This prevents the source address being
set for TCP connections. [RT #15628]
1949.[func]Addition memory leakage checks. [RT #15544]
1948.[bug]If was possible to trigger a REQUIRE failure in
xfrin.c:maybe_free() if named ran out of memory.
[RT #15568]
1947.[func]It is now possible to configure named to accept
expired RRSIGs. Default "dnssec-accept-expired no;".
Setting "dnssec-accept-expired yes;" leaves named
vulnerable to replay attacks. [RT #14685]
1946.[bug]resume_dslookup() could trigger a REQUIRE failure
when using forwarders. [RT #15549]
1945.[cleanup]dnssec-keygen: RSA (RSAMD5) is nolonger recommended.
To generate a RSAMD5 key you must explicitly request
RSAMD5. [RT #13780]
1944.[cleanup]isc_hash_create() does not need a read/write lock.
[RT #15522]
1943.[bug]Set the loadtime after rolling forward the journal.
[RT #15647]
1597.[func]Allow notify-source and query-source to be specified
on a per server basis similar to transfer-source.
[RT #6496]
9.4.0a3 released
1942.[bug]If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649]
1941.[bug]ncache_adderesult() should set eresult even if no
rdataset is passed to it. [RT #15642]
1940.[bug]Fixed a number of error conditions reported by
Coverity.
1939.[bug]The resolver could dereference a null pointer after
validation if all the queries have timed out.
[RT #15528]
1938.[bug]The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528]
1937.[bug]sdlz doesn't handle RRSIG records. [RT #15564]
1936.[bug]The validator could leak memory. [RT #15544]
1935.[bug]'acache' was D sensitive. [RT #15430]
1934.[func]Validate pending NS RRsets, in the authority section,
prior to returning them if it can be done without
requiring DNSKEYs to be fetched. [RT #15430]
1919.[contrib]queryperf: a set of new features: collecting/printing
response delays, printing intermediate results, and
adjusting query rate for the "target" qps.
9.4.0a2 released
1933.[bug]dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
1932.[bug]hpux: LDFLAGS was getting corrupted. [RT #15530]
1931.[bug]Per-client mctx could require a huge amount of memory,
particularly for a busy caching server. [RT #15519]
1930.[port]HPUX: ia64 support. [RT #15473]
1929.[port]FreeBSD: extend use of PTHREAD_SCPE_SYSTEM.
1928.[bug]Race in rbtdb.c:currentversion(). [RT #15517]
1927.[bug]Access to soanode or nsnode in rbtdb violated the
lock order rule and could cause a dead lock.
[RT# 15518]
1926.[bug]The Windows installer did not check for empty
passwords. BINDinstall was being installed in
the wrong place. [RT #15483]
1925.[port]All outer level AC_TRY_RUNs need cross compiling
defaults. [RT #15469]
1924.[port]libbind: hpux ia64 support. [RT #15473]
1923.[bug]ns_client_detach() called too early. [RT #15499]
1922.[bug]check-tool.c:setup_logging() missing call to
dns_log_setcontext().
1921.[bug]Client memory contexts were not using internal
malloc. [RT# 15434]
1920.[bug]The cache rbtdb lock array was too small to
have the desired performance characteristics.
[RT #15454]
9.4.0a1 released