Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
We are proud to announce that today we posted a major new release of BIND. This new 9.10 branch will be the fourth simultaneous release train ISC is supporting, alongside 9.8, 9.9, and 9.9-subscriber. (In January 2014, ISC ended support for the 9.6 branch, launched in 2008, as previously announced.) We recommend that large system administrators run one of our older, stable branches, such as a 9.8- or 9.9-based release on their critical production systems, while testing the new 9.10 branch until the second or third maintenance release.
Response Rate Limiting. One of the major features in 9.10 was actually first introduced in the 9.9 train in the 9.9.4 maintenance release. We violated our usual policy of limiting maintenance releases to bug fixes because this feature (Response Rate Limiting) was so important. If you are not using it yet on your authoritative servers, you should consider it now.
RRL has proven to be so valuable and effective that it is now included in the default software-build configuration, which means that you can use RRL without having to configure and create a custom version of BIND. Instructions for using RRL are in Using the Response Rate Limiting Feature and (in somewhat more detail) in the BIND 9.10 ARM. We held a webinar “RRL – Strategies for a Successful Deployment” in November, 2013, in which Eddy Winstead interviewed Peter Losher, our Senior Systems Engineer who deployed RRL for F-Root. Also note our earlier webinar on RRL.
GeoIP support was also introduced in 9.9, through the subscription branch. With release 9.10 this feature is available to everyone. BIND 9 access control lists are used to give access to various server functions according to the IP address from which they were requested. BIND 9.10 is able to use data from MaxMind GeoIP databases to achieve restrictions based on the (presumed) geographic location of that address. The ACL itself is still address-based, but the GeoIP-based specification mechanisms can easily populate an ACL with addresses in a certain geographic location. This capability was derived from code contributed by Ken Brownfield. An interesting use of geographic ACLs is to offer different BIND views to clients in different geographic locations. See Using the GeoIP Features in BIND 9.10 for more information.
One of the major themes for BIND 9.10 is performance improvement. There are significant enhancements for both authoritative and recursive operations in many of the areas where we have heard requirements for better performance.
New format option for zone files stored on disk allows substantially faster zone loading. Most of the time required for reloading BIND is consumed by parsing the zone files. With this new feature, zone files can be saved in a “pre-compiled” format. This feature applies to authoritative services, and specifically to “slaves.” Consult the BIND 9.10 Administrator’s Reference Manual (ARM) to learn when using map format would be a good idea, when it would be a bad idea, and the details of how to set up and use map-format zone files. See Using the ‘map’ zone file format in BIND for a summary of appropriate and inappropriate usage of map-format zone files.
DNS Pre-fetch can improve recursive resolver performance. DNS resource records that are received by a resolver are kept in its cache until they expire. BIND 9.10 now offers a “prefetch” option. When someone requests a record in the cache, BIND will serve that record, but also fetch a new copy, so it is fresh in the cache for the next requestor. This will improve the performance delivered to end users for resolving names that have short expiration times. See Early refresh of cache records (cache prefetch) in BIND for more information about this new “prefetch” option.
BIND “views” can now share zone files, eliminating duplication of zone data for multiple views and saving memory.
We made substantial improvements in Response Policy Zone (RPZ) performance. See DNSRPZ performance and scaleability when using multiple RPZ zones for more information about this update and for a refresher on the RPZ mechanism and the impact of its use.
EDNS processing better tracks remote server capabilities when handling recursive queries. Instead of sending larger packets and gradually decreasing packet size when it receives errors, now BIND 9 takes a more pessimistic approach and starts with small packets, graduating to larger sizes until it encounters errors. This should improve recursive performance when handling multiple authoritative servers and will also help in situations where connectivity is intermittent or limited by older or misconfigured in-path equipment.
A new “large server tuning” option sets constants and default settings to values suited to large servers with abundant memory. This can improve performance on such servers, but will consume more memory and may degrade performance on smaller systems. In addition, adaptive mutex locks are now supported. This has been found to improve performance under load on systems that support them.
To read more about the new features in BIND 9.10, check the article New Features in BIND 9.10 or the release notes.
What's New from ISC