ISC BIND 9.7.0b3 is now available
Evan Hunt
each at isc.org
Mon Nov 30 22:07:50 UTC 2009
BIND 9.7.0b3 is now available.
BIND 9.7.0b3 is the third beta release of BIND 9.7.0.
Overview:
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
NOTE: This release contains the following security fix:
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection (see README.pkcs11 for additional details).
Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then
you should ensure that all changes that are in progress have completed
prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.
BIND 9.7.0b3 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz
The PGP signature of the distribution is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip
The PGP signature of the binary kit is at:
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha512.asc
Changes since 9.7.0b2:
--- 9.7.0b3 released ---
2785. [bug] Revoked keys could fail to self-sign [RT #20652]
2784. [bug] TC was not always being set when required glue was
dropped. [RT #20655]
2783. [func] Return minimal responses to EDNS/UDP queries with a UDP
buffer size of 512 or less. [RT #20654]
2782. [port] win32: use getaddrinfo() for hostname lookups.
[RT #20650]
2781. [bug] Inactive keys could be used for signing. [RT #20649]
2780. [bug] dnssec-keygen -A none didn't properly unset the
activation date in all cases. [RT #20648]
2779. [bug] Dynamic key revokation could fail. [RT #20644]
2778. [bug] dnssec-signzone could fail when a key was revoked
without deleting the unrevoked version. [RT #20638]
2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong.
2776. [bug] Change #2762 was not correct. [RT #20647]
2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible
in dnssec-keyfromlabel. [RT #20643]
2774. [bug] Existing cache DB wasn't being reused after
reconfiguration. [RT #20629]
2773. [bug] In autosigned zones, the SOA could be signed
with the KSK. [RT #20628]
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]
2771. [bug] dnssec-signzone: DNSKEY records could be
corrupted when importing from key files [RT #20624]
2770. [cleanup] Add log messages to resolver.c to indicate events
causing FORMERR responses. [RT #20526]
2769. [cleanup] Change #2742 was incomplete. [RT #19589]
2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568]
2767. [bug] named could crash on startup if a zone was
configured with auto-dnssec and there was no
key-directory. [RT #20615]
2766. [bug] isc_socket_fdwatchpoke() should only update the
socketmgr state if the socket is not pending on a
read or write. [RT #20603]
2765. [bug] Skip masters for which the TSIG key cannot be found.
[RT #20595]
2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591]
2762. [bug] DLV validation failed with a local slave DLV zone.
[RT #20577]
2761. [cleanup] Enable internal symbol table for backtrace only for
systems that are known to work. Currently, BSD
variants, Linux and Solaris are supported. [RT# 20202]
2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533]
2759. [doc] Add information about .jbk/.jnw files to
the ARM. [RT #20303]
2758. [bug] win32: Added a workaround for a windows 2008 bug
that could cause the UDP client handler to shut
down. [RT #19176]
2757. [bug] dig: assertion failure could occur in connect
timeout. [RT #20599]
2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597]
2755. [placeholder]
2754. [bug] Secure-to-insecure transitions failed when zone
was signed with NSEC3. [RT #20587]
2753. [bug] Removed an unnecessary warning that could appear when
building an NSEC chain. [RT #20588]
2752. [bug] Locking violation. [RT #20587]
2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
2750. [bug] dig: assertion failure could occur when a server
didn't have an address. [RT #20579]
2749. [bug] ixfr-from-differences generated a non-minimal ixfr
for NSEC3 signed zones. [RT #20452]
2748. [func] Identify bad answers from GTLD servers and treat them
as referrals. [RT #18884]
2747. [bug] Journal roll forwards failed to set the re-signing
time of RRSIGs correctly. [RT #20541]
2746. [port] hpux: address signed/unsigned expansion mismatch of
dns_rbtnode_t.nsec. [RT #20542]
2745. [bug] configure script didn't probe the return type of
gai_strerror(3) correctly. [RT #20573]
2744. [func] Log if a query was over TCP. [RT #19961]
2743. [bug] RRSIG could be incorrectly set in the NSEC3 record
for a insecure delegation.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list