BIND 9.8.2 is now available
jagan padhi
jagan.padhi at gmail.com
Thu Apr 12 04:50:30 UTC 2012
There High DNS Reponse(1000 MS DNS Resolution) for facebook.com....
On Thu, Apr 5, 2012 at 1:38 AM, Brian Conry <bconry at isc.org> wrote:
> Introduction
>
> BIND 9.8.2 is the latest production release of BIND 9.8.
>
> This document summarizes changes from BIND 9.8.1 to BIND 9.8.2.
> Please see the CHANGES file in the source code release for a complete
> list of all changes.
>
> Download
>
> The latest versions of BIND 9 software can always be found on our
> web site at http://www.isc.org/downloads/all. There you will find
> additional information about each release, source code, and
> pre-compiled versions for Microsoft Windows operating systems.
>
> Support
>
> Product support information is available on
> http://www.isc.org/services/support for paid support options. Free
> support is provided by our user community via a mailing list.
> Information on all public email lists is available at
> https://lists.isc.org/mailman/listinfo.
>
> Security Fixes
>
> + BIND 9 nameservers performing recursive queries could cache an
> invalid record and subsequent queries for that record could
> crash the resolvers with an assertion failure. [RT #26590]
> [CVE-2011-4313]
>
> Feature Changes
>
> + RPZ implementation now conforms to version 3 of the specification.
> [RT #27316]
>
> + It is now possible to explicitly disable DLV in named.conf by
> specifying "dnssec-lookaside no;". This is the default, but the
> ability to configure it makes it clearly visible to administrators.
> [RT #24858]
>
> + --enable-developer, a new composite argument to the configure
> script, enables a set of build options normally disabled but
> frequently selected in test or development builds, specifically:
> enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
> enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
> Darwin, also enable_exportlib) [RT #27103]
>
> Bug Fixes
> + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota
> if the zone was being removed. [RT #28419]
>
> + A parser bug could cause named to crash while reading a malformed
> zone file. [RT #28467]
>
> + Fixed a problem preventing proper use of 64 bit time values in
> libbind. [RT # 26542]
>
> + isccc/cc.c:table_fromwire could fail to free an allocated object on
> error, leading to a possible memory leak condition. [RT #28265]
>
> + Fixed a build error on systems without ENOTSUP. [RT #28200]
>
> + The header file isc/hmacsha.h is now installed when building BIND.
> [RT #28169]
>
> + Resolves spurious test failures in ans.pl by updating it to work
> correctly with Net::DNS 0.68 [RT #28028]
>
> + The managed key maintenance timer could fail to restart after 'rndc
> reconfig' resulting in managed keys not being properly added to
> managed-keys.bind [RT #27686]
>
> + Corrects a potential overflow problem in the computation of
> RRSIG expiration times. [RT #23311]
>
> + The maximum number of NSEC3 iterations for a DNSKEY RRset was
> not being properly computed. [RT #26543]
>
> + Error reporting has been improved for failures encountered
> when sending or receiving network packets. In particular
> some memory allocation failures were being logged as "unexpected
> error" - these will now be reported accurately. A new
> ISC_R_UNSET result code has also been added to cover those
> situations where there is no error code returned by the OS
> sockets implementation. [RT #27336]
>
> + Corrects an INSIST failure by addressing race conditions in
> the handling of rbtnode.deadlink. [RT #27738]
>
> + SOA refresh queries could be treated as cancelled despite
> succeeding over the loopback interface. [RT #27782]
>
> + When replacing an NS RRset, BIND now restricts the TTL of the
> new NS RRset to no more than that of the NS RRset it replaces
> to fix a timing problem that can arise when removing a delegation.
> [RT #27792/27884]
>
> + Raw zones with with more than 512 records in a RRset previously
> failed to load. [RT #27863]
>
> + Make sure automatic key maintenance is started when "rndc reconfig"
> is issued if "auto-dnssec maintain" is turned on. [RT #26805]
>
> + Windows builds are now restricted to a single listener thread
> until incompatibility with the multiple listeners code can be
> addressed [RT #27696]
>
> + AAAA responses could be returned in the additional section even
> when filter-aaaa-on-v4 was in use. [RT #27292]
>
> + An error handling an out of memory condition could cause a stored
> rdataset to be freed twice using DNS64. [RT #27762]
>
> + Some query patterns could cause responses not to be returned
> in cyclic order though "rrset-order cyclic" was set. [RT
> #27170/27185]
>
> + named-compilezone now longer emits "dump zone to <file>" message
> when writing to stdout. [RT #27109]
>
> + Sets isc_socket_ipv6only() on the IPv6 control channels. This
> addresses IPv6 socket binding problems that can occur in some
> configurations when bindv6only=1 is set globally. [RT #22249]
>
> + named now reports a syntax error when a TXT record longer than
> 255 characters is configured. [RT #26956]
>
> + Addresses race conditions in the resolver code that can cause
> named to abort. [RT #26889]
>
> + Fixed a bug that could cause named to crash while loading a
> zone with invalid DNSKEY records. [RT #26913]
>
> + Prevents dig -6 +trace from terminating with an error when
> encountering a root nameserver without an AAAA record. RT #26906]
>
> + Prevents DNSKEY state change events from being missed by ensuring
> that the timestamps used to determine which keys are in use are
> set appropriately. [RT #26874]
>
> + When processing a list of keys, named now consistently compares
> them with the same timestamp. [RT #26883]
>
> + Fixed a corner case race condition in the validator that may
> cause an assert in a multi-threaded build of BIND. [RT #26478]
>
> + Poor error handling could cause named to hang during shutdown.
> [RT #26372]
>
> + named now correctly validates DNSSEC positive wildcard responses
> from NSEC3 signed zones. [RT #26200]
>
> + Fixes a problem with the computation of tags for revoked keys.
> [RT #26186]
>
> + Corrects a problem with change #3186. dns_db_rpz_findips()
> could fail to set the database version correctly, causing an
> assertion failure. [RT #26180]
>
> + Master servers that had previously been marked as unreachable
> because of failed zone transfer attempts will now be removed
> from the "unreachable" list (i.e. considered reachable again)
> if the slave receives a NOTIFY message from them. [RT #25960]
>
> + Fixes a bug in zone.c where failure to delete signatures could
> lead to an assertion failure and subsequent abort. [RT #25880]
>
> + Corrects a problem validating root DS responses. [RT #25726]
>
> + Fixes a problem whereby "rndc dumpdb" could cause an assertion
> failure and abort by attempting to print an empty rdataset [RT
> #25452]
>
> + The order in which we process the reactivation of a dead node
> in cache and the incrementing of its reference count created a
> small timing window during which an inconsistency could be
> detected and an assert occur in a multi-threaded environment.
> This should no longer occur. [RT #23219]
>
> + 'dig -y' would crash when passed an unknown TSIG algorithm. dig
> now handles unknown TSIG algorithms more gracefully. [RT #25522]
>
> + Servers that received negative responses from a forwarder were
> failing to cache the answers correctly, resulting in multiple
> queries for the same non-existent name being sent to the
> forwarders instead of answers being provided to clients from
> cache (until TTL expiry). [RT #25380]
>
> + Corrected a bug which could cause a slave server with
> "allow-update-forwarding" set to become unresponsive if the
> master it is trying to reach is off-line or unreachable. [RT
> #24711]
>
> + Socket errors during during recursion were sometimes not handled
> correctly which could lead to a named assert when an associated
> query structure was used after it had already been freed [RT
> #22208]
>
> + The logging level for DNSSEC validation failures due to expired
> or not-yet-valid RRSIGs has been increased to log level "info"
> to make it easier to diagnose these problems. Examples of the
> new log messages are given below:
>
> 03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
> pastdate-A.test.dnssec-tools.org<http://pastdate-a.test.dnssec-tools.org/>A: verify failed due to bad
> signature (keyid=19442): RRSIG has expired
>
> 03-Nov-2011 22:41:31.335 validating @0x12b5d80:
> futuredate-A.test.dnssec-tools.org<http://futuredate-a.test.dnssec-tools.org/>A: verify failed due to
> bad signature (keyid=19442): RRSIG validity period has not
> begun
>
> [RT #21796]
>
> + This change can reduce the time when a server is unavailable
> during "rndc reconfig" for servers with large and complex
> configurations. This is achieved by completing the parsing of
> the configuration files in entirety before entering the exclusive
> phase. (Note that it does not reduce the total time spent in
> "rndc reconfig", and it has no measurable impact on server
> initial start-up times.) [RT #21373]
>
> + Direct queries for type RRSIG or SIG (sometimes used while
> testing) could be handled incorrectly in the case where there
> is no answer available. [RT #21050]
>
> Thank You
>
> Thank you to everyone who assisted us in making this release
> possible. If you would like to contribute to ISC to assist us
> in continuing to make quality open source software, please visit
> our donations page at http://www.isc.org/supportisc.
>
> (c) 2001-2012 Internet Systems Consortium
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120412/5a114af6/attachment.html>
More information about the bind-users
mailing list