New Features in BIND 9.8

DNS64

DNS64 is a transition mechanism to IPv6 deployment. It is one of several options available to ISPs and other providers to ease deployment issues surrounding IPv6.

Response Policy Zones

This is a feature to assist ISPs and other organizations who must block certain domain names from resolution or return false answers for them. Common uses for this code are governmental requirements, company policy, and to divert botnets or other threats. Further materials about DNS RPZ.

GOST DNSSEC Algorithm Support

We are including support for the GOST DNSSEC algorithm in BIND 9.8.0. This requires that the OpenSSL which BIND 9 uses supports the GOST algorithm.

Sample DNSSEC Root Key

ISC will ship a current DNSSEC key for the root. It will not be used by default. It is enabled by adding “dnssec-validation auto;” rather than using “yes” or “no.”

GSSAPI Configuration and Other Improvements

ISC has been working with the Samba Project to improve GSSAPI configuration when used with Samba. We believe these configuration and bug fixes are of general use to many who wish to use GSSAPI for Windows integration and other purposes.

Improved Stub Zones

In previous versions of BIND 9, a “stub zone” would cause named to fetch NS records from the servers listed, and use those internally as well as return them as data. This change makes stub zones behave more like they are expected to behave. Existing behavior is still supported without configuration changes. With this change, BIND 9.8.0 and beyond will have the option of using the hosts listed to answer queries, but will not leak to clients this redirection. The primary uses for this have been DNSSEC test beds where participating recursive servers are pointed to a DNSSEC signed version of a TLD, but the NS records are still listed as the real servers.

Dynamic DNS ACL Callout

BIND 9.8.0 may communicate with an external daemon when processing a dynamic update request. This daemon may make the decision if the update should be allowed or not based on information that is not available to BIND.

Allow Query Timeout Value Change

ISC changed the default query timeout from 30 seconds to 10. This feature will also introduce the ability to set the client query
timeout in named.conf using the new 'resolver-query-timeout' option, which specifies a maximum time in seconds. 0 means 'default' and anything longer than 30 will be silently set to 30.

End of Feature: RTT Banding

ISC has evaluated the increased security provided by RTT banding versus the impact it can have on resolver latency and concluded that the negative effects outweigh the benefits. Therefore with this release, BIND is reverting to the server selection mechanism used prior to adding RTT banding.

Share this