Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
BIND 9.10 brings updates to statistics, troubleshooting tools, and some helpful utilities for zone configuration. The release notes are now posted alongside the software download, and we have created a section in the Knowledgebase for articles on the new features.
XML statistics reported from BIND are refocused on “newer” format. BIND can provide statistics in either XML or JSON formats. JSON is significantly faster than XML, but is not supported yet on Windows. Previous versions of BIND had offered the option of XML statistics in older (v2) or newer (v3) format. The older version 2 statistics date back to BIND 9.6.0, introduced in 2008. BIND 9.10 offers only v3 format but offers it in the default version (without needing to custom-build BIND with statistics enabled).
The statistics channel now also includes many new statistics, including stats for the resolver, cache, address database, dispatch manager, and task manager, which can be used to monitor server health. New URLs have been added to the statistics channel to provide broken-out subgroups of statistics so as to reduce parsing complexity. The XSL stylesheet that enables interpretation of XML statistics can now be cached by the browser. New counters track TCP and UDP queries on a per-zone basis. This satisfies the new ICANN reporting requirement for new Generic Top Level Domains (GTLDs). See Operating statistics provided by BIND statistics channels for more information about the XML statistics channel and its usage. Below are a couple of examples of the new statistics.
Release 9.10 previews the Domain Entity Lookup and Validation engine (DELV), a new DNSSEC troubleshooting tool intended to eventually obsolete dig+sigchase. See Eleven, twelve; dig and delv: BIND 9.10 for more information.
The dig tool now has EDNS client-subnet support and EDNS Expire support. “dig +subnet” sends an EDNS CLIENT-SUBNET option when querying. “dig +expire” sends an EDNS EXPIRE option when querying. When this option is sent with an SOA query to a server that supports it, it will report the expiry time of a slave zone.
A new command makes it easier for others to help you troubleshoot your configuration.
What's New from ISC