BIND 9.3.2-P2

BIND 9.3 is a previous major release. It is still supported, and bug fixes and security fixes will be made available as minor releases. No new features will be added.

Some of the important features of BIND 9 are:

• DNS Security
  • DNSSEC (signed zones)
    
  • TSIG (signed DNS requests)
• IP version 6
  • Answers DNS queries on IPv6 sockets
  • IPv6 resource records (AAAA, DNAME, etc.)
  • Experimental IPv6 Resolver Library
• DNS Protocol Enhancements
  • IXFR, DDNS, Notify, EDNS0
  • Improved standards conformance
• Views
  • One server process can provide multiple "views" of the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others.
• Multiprocessor Support
• Improved Portability Architecture

Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLNet - NLNet Foundation
Nominum, Inc.

All ISC software is signed with our OpenPGP Key

You can download ISC software either from our master site, or at a number of mirror sites across the globe.

• CVE-2007-0494
• CVE-2007-0493
• CVE-2006-4095
  CERT Vulnerability Note VU#915404
  NISCC 172003
• CVE-2006-4096
  CERT Vulnerability Note VU#697164
  NISCC 172003
• CAN-2005-0034
  NISCC-UNIRAS 20050125-00059
  CERT Vulnerability Note VU#938617

The BIND 9 Administrator Reference Manual is included with the source distribution in DocBook XML and HTML format, in the doc/arm directory.

Some of the programs in the BIND 9 distribution have man pages under the doc/man directory. In particular, the command line options of "named" are documented in doc/man/bind/named.8. There is now also a set of man pages for the lwres library.

If you are upgrading from BIND 8, please read the migration notes in doc/misc/migration. If you are upgrading from BIND 4, read doc/misc/migration-4to9.

Frequently asked questions and their answers can be found in the FAQ.

BIND 9.5 features for the non-programmer

We've had successful builds and tests on the following systems:

• COMPAQ Tru64 UNIX 5.1B
• Fedora Core 6
• FreeBSD 4.10, 5.2.1, 6.2
• Mac OS X 10.5
• NetBSD 3.x and 4.0-beta
• OpenBSD 3.3 and up
• HP-UX 11.11
• Slackware Linux 8.1
• Solaris 8, 9, 9 (x86), 10
• Ubuntu 7.04, 7.10
• Windows NT/2000/XP/2003

  We have recent reports from the user community that a supported version of BIND will build and run on the following systems:

• AIX 4.3, 5L
• CentOS 4, 4.5, 5
• Darwin 9.0.0d1/ARM
• Debian 4
• Fedora Core 5, 7
• FreeBSD 6.1
• HP-UX 11.11, 11.23 PA
• MacOS X 10.4, 10.5
• Red Hat Enterprise Linux 4, 5
• SCO OpenServer 5.0.6
• Slackware 9, 10
• SuSE 9, 10

To build, just

./configure
make

Several environment variables that can be set before running configure will affect compilation:

CC
The C compiler to use. configure tries to figure out the right one for supported systems.

CFLAGS
C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler.

STD_CINCLUDES
System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.

STD_CDEFINES
Any additional preprocessor symbols you want defined. Defaults to empty string.

To build shared libraries, specify "--with-libtool" on the configure command line.

For the server to support DNSSEC, you need to build it with crypto support. You must have OpenSSL 0.9.5a or newer installed and specify "--with-openssl" on the configure command line. If OpenSSL is installed under a nonstandard prefix, you can tell configure where to look for it using "--with-openssl=/prefix".

To build libbind (BIND 8 resolver library), specify "--enable-libbind" on the configure command line.

On some platforms, BIND 9 can be built with multithreading support, allowing it to take advantage of multiple CPUs. You can specify whether to build a multithreaded BIND 9 by specifying "--enable-threads" or "--disable-threads" on the configure command line. The default is operating system dependent.

If your operating system has integrated support for IPv6, it will be used automatically. If you have installed KAME IPv6 separately, use "--with-kame[=PATH]" to specify its location.

"make install" will install "named" and the various BIND 9 libraries. By default, installation is into /usr/local, but this can be changed with the "--prefix" option when running "configure".

You may specify the option "--sysconfdir" to set the directory where configuration files like "named.conf" go by default, and "--localstatedir" to set the default parent directory of "run/named.pid". For backwards compatibility with BIND 8, --sysconfdir defaults to "/etc" and --localstatedir defaults to "/var" if no --prefix option is given. If there is a --prefix option, sysconfdir defaults to "$prefix/etc" and localstatedir defaults to "$prefix/var".

To see additional configure options, run "configure --help". Note that the help message does not reflect the BIND 8 compatibility defaults for sysconfdir and localstatedir.

If you're planning on making changes to the BIND 9 source, you should also "make depend". If you're using Emacs, you might find "make tags" helpful.

Building with gcc is not supported, unless gcc is the vendor's usual compiler (e.g. the various BSD systems, Linux).

Known compiler issues:

• gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
• gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
• gcc-3.3.5 powerpc generates incorrect code at -02.
• Irix, MipsPRO 7.3.1m is known to cause problems.

A limited test suite can be run with "make test". Many of the tests require you to configure a set of virtual IP addresses on your system, and some require Perl; see bin/tests/system/README for details.

		BIND 9.3.2-P2 is now available.

BIND 9.3.2-P2 is a SECURITY release for BIND 9.3.

BIND 9.3.2-P2 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.3.2-P2/bind-9.3.2-P2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows NT 4.0 and Windows 2000 is at

	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip

The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at
        
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.3.2-P2/BIND9.3.2-P2.debug.zip.sha512.asc

A list of changes made since 9.3.0 follows.  For earlier changes,
see the file CHANGES in the distribution.

--------

	--- 9.3.2-P2 released ---

2090.	[port]		win32: Visual C++ 2005 command line manifest support.
			[RT #16417]

2089.	[security]	Raise the minimum safe OpenSSL versions to
			OpenSSL 0.9.7l and OpenSSL 0.9.8d.  Versions
			prior to these have known security flaws which
			are (potentially) exploitable in named. [RT #16391]

2088.	[security]	Change the default RSA exponent from 3 to 65537.
			[RT #16391]

2083.	[port]		win32: Visual C++ 2005 support.

	--- 9.3.2-P1 released ---

2066.	[security]	Handle SIG queries gracefully. [RT #16300]

1941.	[bug]		ncache_adderesult() should set eresult even if no
			rdataset is passed to it. [RT #15642]

	--- 9.3.2 released ---

	--- 9.3.2rc1 released ---

1936.	[bug]		The validator could leak memory. [RT #15544]

1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]

	--- 9.3.2b2 released ---

1930.	[port]		HPUX: ia64 support. [RT #15473]

1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.

1926.	[bug]		The Windows installer did not check for empty
			passwords.  BINDinstall was being installed in
			the wrong place. [RT #15483]

1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
			defaults. [RT #15469]

1924.	[port]		libbind: hpux ia64 support. [RT #15473]

1923.	[bug]		ns_client_detach() called too early. [RT #15499]

	--- 9.3.2b1 released ---

1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
			when generating man pages. [RT #15385]

1915.	[bug]		dig +ndots was broken. [RT #15215]

1914.	[protocol]	DS is required to accept mnemonic algorithms
			(RFC 4034).  Still emit numeric algorithms for
			compatability with RFC 3658. [RT #15354]

1911.	[bug]		Update windows socket code. [RT #14965]

1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]

1909.	[bug]		The DLV code has been re-worked to make no longer
			query order sensitive. [RT #14933]

1905.	[bug]		Strings returned from cfg_obj_asstring() should be
                        treated as read-only.  [RT #15256]

1901.	[cleanup]	Don't add DNSKEY records to the additional section.

1900.	[bug]		ixfr-from-differences failed to ensure that the
			serial number increased. [RT #15036]

1896.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
			ISC_NETADDR_FORMATSIZE to allow for scope details.

1894.	[bug]		Recursive clients soft quota support wasn't working
			as expected. [RT #15103]

1893.	[bug]		A escaped character is, potentially, converted to
			the output character set too early. [RT #14666]

1892.	[port]		Use uintptr_t if available. [RT #14606]

1889.	[port]		sunos: non blocking i/o support. [RT #14951]

1887.	[bug]		The cache could delete expired records too fast for
			clients with a virtual time in the past. [RT #14991]

1886.	[bug]		fctx_create() could return success even though it
			failed. [RT #14993]

1884.	[cleanup]	dighost.c: move external declarations into .

1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
			levels. [RT #14962]

1881.	[func]		Add a system test for named-checkconf. [RT #14931]

1877.	[bug]		Fix unreasonably low quantum on call to
			dns_rbt_destroy2().  Remove unnecessay unhash_node()
			call. [RT #14919]

1875.	[bug]		process_dhtkey() was using the wrong memory context
			to free some memory. [RT #14890]

1874.	[port]		sunos: portability fixes. [RT #14814]

1873.	[port]		win32: isc__errno2result() now reports its caller.
			[RT #13753]

1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]

1867.	[bug]		It was possible to trigger a INSIST in
			dlv_validatezonekey(). [RT #14846]

1866.	[bug]		resolv.conf parse errors were being ignored by
			dig/host/nslookup. [RT #14841]

1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
			bad addresses. [RT #14841]

1864.	[bug]		Don't try the alternative transfer source if you
			got a answer / transfer with the main source
			address. [RT #14802]

1863.	[bug]		rrset-order "fixed" error messages not complete.

1861.	[bug]		dig could trigger a INSIST on certain malformed
			responses. [RT #14801]

1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
			incorrectly set. [RT #14775]

1858.	[bug]		The flush-zones-on-shutdown option wasn't being
			parsed. [RT #14686]

1857.	[bug]		named could trigger a INSIST() if reconfigured /
			reloaded too fast.  [RT #14673]

1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
			[RT #11398]

1855.	[bug]		ixfr-from-differences was failing to detect changes
			of ttl due to dns_diff_subtract() was ignoring the ttl
			of records.  [RT #14616]

1854.	[bug]		lwres also needs to know the print format for
			(long long).  [RT #13754]

1853.	[bug]		Rework how DLV interacts with proveunsecure().
			[RT #13605]

1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
			dnssec-makekeyset (removed from Makefile years ago).

1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]

1849.	[doc]		All forms of the man pages (docbook, man, html) should
			have consistant copyright dates.

1848.	[bug]		Improve SMF integration. [RT #13238]

1847.	[bug]		isc_ondestroy_init() is called too late in
			dns_rbtdb_create()/dns_rbtdb64_create(). 
			[RT #13661]
			
1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
			.

1845.	[bug]		Improve error reporting to distingish between
			accept()/fcntl() and socket()/fcntl() errors.
			[RT #13745]

1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
			for each 16 bit piece of the IPv6 address.  The text
			representation of a IPv6 address has been tighted
			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
			[RT #5662]

1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
			when CFLAGS contains "-I /usr/local/include"
			resulting in old header files being used.

1842.	[port]		cmsg_len() could produce incorrect results on
			some platform. [RT #13744]

1841.	[bug]		"dig +nssearch" now makes a recursive query to
			find the list of nameservers to query. [RT #13694]

1839.	[bug]		 was not being installed.

1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
			[RT #13707]

1837.	[bug]		Compile time option ISC_FACILITY was not effective
			for 'named -u '.  [RT #13714]

1836.	[cleanup]	Silence compiler warnings in hash_test.c.

1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]

1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]

1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]

1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
			[RT #13620]

1831.	[doc]		Update named-checkzone documentation. [RT#13604]

1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]

1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]

1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
			encountered a error. [RT #13549]

1827.	[bug]		host: update usage message for '-a'. [RT #37116]

1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
			of memory error. [RT #13537]

1825.	[bug]		Missing UNLOCK() on out of memory error from in
			rbtdb.c:subtractrdataset(). [RT #13519]

1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
			[RT #13510]

1823.	[bug]		Wrong macro used to check for point to point interface.
			[RT#13418]

1822.	[bug]		check-names test for RT was reversed. [RT #13382]

1821.	[doc]		acls definitions are no longer required to be 
			in named.conf prior to reference.  They can be
			defined after being referenced.

1820.	[bug]		Gracefully handle acl loops. [RT #13659]

1819.	[bug]		The validator needed to check both the algorithm and
			digest types of the DS to determine if it could be
			used to introduce a secure zone. [RT #13593]

1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
			[RT #13597]

1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
			without also setting the zone and it encountered
			a CNAME and was using TSIG.  [RT #13086]

1810.	[bug]		configure, lib/bind/configure make different default
			decisions about whether to do a threaded build.
			[RT #13212]

1809.	[bug]		"make distclean" failed for libbind if the platform
			is not supported.

1807.	[bug]		When forwarding (forward only) set the active domain
			from the forward zone name. [RT #13526]
			
1804.	[bug]		Ensure that if we are queried for glue that it fits
			in the additional section or TC is set to tell the
			client to retry using TCP. [RT #10114]

1803.	[bug]		dnssec-signzone sometimes failed to remove old
			RRSIGs. [RT #13483]

1802.	[bug]		Handle connection resets better. [RT #11280]

1799.	[bug]		'rndc flushname' failed to flush negative cache
			entries. [RT #13438]

1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
			formating issues with "rndc dumpdb -all".  [RT #13396]

1791.	[bug]		'host -t a' still printed out AAAA and MX records.
			[RT #13230]

	--- 9.3.1 released ---

1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]

	--- 9.3.1rc1 released ---

1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
			[RT #13453]

1808.	[bug]		zone.c:notify_zone() contained a race condition,
			zone->db could change underneath it.  [RT #13511]

1806.	[bug]		The resolver returned the wrong result when a CNAME /
			DNAME was encountered when fetching glue from a
			secure namespace. [RT #13501]

1805.	[bug]		Pending status was not being cleared when DLV was
			active. [RT #13501]

	--- 9.3.1beta2 released ---

1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
			[RT #13428]

	--- 9.3.1beta1 released ---

1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
			allow parallel make to succeed.

1789.	[bug]		Prerequisite test for tkey and dnssec could fail
			with "configure --with-libtool".

1788.	[bug]		libbind9.la/libbind9.so needs to link against
			libisccfg.la/libisccfg.so.

1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.

1786.	[port]		AIX: libt_api needs to be taught to look for
			T_testlist in the main executable (--with-libtool).
			[RT #13239]

1785.	[bug]		libbind9.la/libbind9.so needs to link against
			libisc.la/libisc.so.

1784.	[cleanup]	"libtool -allow-undefined" is the default.
			Leave hooks in configure to allow it to be set
			if needed in the future.

1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
			source tree.

1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
			__evOptMonoTime.  [RT #13219]

1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]

1780.	[bug]		Update libtool to 1.5.10.

1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.

1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
			IN6ADDR_LOOPBACK_INIT macros.

1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
                        IN6ADDR_LOOPBACK_INIT macros.

1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]

1774.	[port]		Aix: Silence compiler warnings / build failures.
			[RT #13154]

1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]

1770.	[bug]		named-checkconf failed to report missing a missing
			file clause for rbt{64} master/hint zones. [RT#13009]

1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
			/MT ==> /MD.

1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
			rdataset. [RT #12907]

1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
			support for (struct in6_pktinfo) failed.  [RT #13077]

1766.	[bug]		Update the master file timestamp on successful refresh
			as well as the journal's timestamp. [RT# 13062]

1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]

1764.	[bug]		dns_zone_replacedb failed to emit a error message
			if there was no SOA record in the replacment db.
			[RT #13016]

1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
			even when it failed. [RT #12995]

1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
			[RT #12971]

1760.	[bug]		Host / net unreachable was not penalising rtt
			estimates. [RT #12970]

1759.	[bug]		Named failed to startup if the OS supported IPv6
			but had no IPv6 interfaces configured. [RT #12942]

1754.	[bug]		We wern't always attempting to query the parent
			server for the DS records at the zone cut.
			[RT #12774]

1753.	[bug]		Don't serve a slave zone which has no NS records.
			[RT #12894]

1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
			as some fork() implementations unblock the signals
			that are blocked by isc_app_start(). [RT #12810]

1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]

1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
			[RT #12864]

1749.	[bug]		'check-names response ignore;' failed to ignore.
			[RT #12866]

1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
			to parse "host-statistics-max" in named.conf.

1745.	[bug]		Dig/host/nslookup accept replies from link locals
			regardless of scope if no scope was specified when
			query was sent. [RT #12745]

1744.	[bug]		If tuple2msgname() failed to convert a tuple to
			a name a REQUIRE could be triggered. [RT #12796]

1743.	[bug]		If isc_taskmgr_create() was not able to create the
			requested number of worker threads then destruction
			of the manager would trigger an INSIST() failure.
			[RT #12790]
			
1742.	[bug]		Deleting all records at a node then adding a
			previously existing record, in a single UPDATE
			transaction, failed to leave / regenerate the
			associated RRSIG records. [RT #12788]

1741.	[bug]		Deleting all records at a node in a secure zone
			using a update-policy grant failed. [RT #12787]

1740.	[bug]		Replace rbt's hash algorithm as it performed badly
			with certain zones. [RT #12729]
			
			NOTE: a hash context now needs to be established
			via isc_hash_create() if the application was not
			already doing this.

1739.	[bug]		dns_rbt_deletetree() could incorrectly return
			ISC_R_QUOTA.  [RT #12695]

1738.	[bug]		Enable overrun checking by default. [RT #12695]

1737.	[bug]		named failed if more than 16 masters were specified.
			[RT #12627]

1736.	[bug]		dst_key_fromnamedfile() could fail to read a
			public key. [RT #12687]
			
1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
			[RE #12688]

1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
			[RT #12588]

1733.	[bug]		Return non-zero exit status on initial load failure.
			[RT #12658]

1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
			[RT #12467]

1731.	[port]		darwin: relax version test in ifconfig.sh.
			[RT #12581]

1730.	[port]		Determine the length type used by the socket API.
			[RT #12581]

1728.	[doc]		Update check-names documentation.

1727.	[bug]		named-checkzone: check-names support didn't match
			documentation.

1726.	[port]		aix5: add support for aix5.

1725.	[port]		linux: update error message on interaction of threads,
			capabilities and setuid support (named -u). [RT #12541]

1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
			[RT #12557]

1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]

1722.	[bug]		Don't commit the journal on malformed ixfr streams.
			[RT #12519]

1721.	[bug]		Error message from the journal processing were not
			always identifing the relevent journal. [RT #12519]

1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
			negative response. [RT #12506]

1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
			negative response. [RT #12506]

1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
			responses when looking for the zone / master server.
			[RT #12506]

1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
			"ifconfig.sh down" didn't work for Solaris 9.

1716.	[doc]		named.conf(5) was being installed in the wrong
			location.  [RT# 12441]

1714.	[bug]		dig/host/nslookup were only trying the first
			address when a nameserver was specified by name.
			[RT #12286]

1713.	[port]		linux: extend capset failure message to say:
			please ensure that the capset kernel module is
			loaded.  see insmod(8)

1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.

	--- 9.3.0 released ---

To join the BIND Users mailing list, send mail to: bind-users-request@isc.org.

If you're planning on making changes to the BIND 9 source code, you might want to join the BIND Workers mailing list. Send mail to: bind-workers-request@isc.org