BIND 9.6-ESV-R8b1 is now available
Michael McNally
mcnally at isc.org
Fri Aug 10 19:41:19 UTC 2012
Introduction
BIND 9.6-ESV-R8b1 is the first beta release of BIND 9.6-ESV-R8.
BIND 9.6-ESV is an Extended Support Version of BIND.
This document summarizes changes from BIND 9.6-ESV-R7 to BIND
9.6-ESV-R8b1. Please see the CHANGES file in the source code
release for a complete list of all changes.
Download
The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options.
Free support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
Security Fixes
- Prevents a named assert (crash) when validating caused by
using "Bad cache" data before it has been initialized.
[CVE-2012-3817] [RT #30025]
- A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process. [CVE-2012-1667] [RT #29644]
New Features
- None
Feature Changes
- Improves OpenSSL error logging [RT #29932]
- nslookup now returns a nonzero exit code when it is unable
to get an answer. [RT #29492]
Bug Fixes
- Ensures that servers are expired from the ADB cache when the
timeout limit is reached so that their learned attributes can
be refreshed. Prior to this change, servers that were
frequently queried might never have their entries removed and
reinitialized. This is of particular importance to
DNSSEC-validating recursive servers that might erroneously
set "no-edns" for an authoritative server following a period
of intermittent connectivity. [RT #29856]
- Adds additional resilience to a previous security change
(3218) by preventing RRSIG data from being added to cache
when a pseudo-record matching the covering type and proving
non-existence exists at a higher trust level. The earlier
change prevented this inconsistent data from being retrieved
from cache in response to client queries - with this additional
change, the RRSIG records are no longer inserted into cache
at all. [RT #26809]
- The tests on random jitter values that are used when handling
zone refreshes have been relaxed. Prior to this change named
could terminate unexpectedly when processing stub zones. [RT#
29821]
- Fixes the defect introduced by change #3314 that was causing
failures when saving stub zones to disk (resulting in excessive
CPU usage in some cases). [RT #29952]
- It is now possible to using multiple control keys again -
this functionality was inadvertently broken by change #3924
(RT #28265) which addressed a memory leak. [RT #29694]
- Setting resolver-query-timeout too low could cause named
problems recovering after a loss of connectivity. [RT #29623]
- Reduces the potential build-up of stale RRsets in cache on a
busy recursive nameserver by re-using cached DS and RRSIG
rrsets when possible [RT #29446]
- Upper-case/lower-case handling of RRSIG signer-names is now
handled consistently: RRSIG records are generated with the
signer-name in lower case. They are accepted with any case,
but if they fail to validate, we try again in lower case. [RT
#27451]
Thank You
Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us
in continuing to make quality open source software, please visit
our donations page at http://www.isc.org/supportisc.
(c) 2001-2012 Internet Systems Consortium
More information about the bind-users
mailing list