Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
New maintenance versions of each of our supported branches are available from our downloads page. We have also updated our 9.9 and 9.10-based Stable Preview releases; both are available to eligible support subscribers through your support queue.
We issue BIND maintenance versions approximately every 6 months.
Our next planned BIND release will be a new feature branch, BIND 9.12, currently planned for December 2017. The 9.12 release will include significant refactoring of key functions in BIND, plus implementations of several improvements to increase efficiency and resilience, including NSEC Aggressive Use and serving stale data when the authority is unresponsive. We are excited to be including a number of changes which improve authoritative performance dramatically for the root and TLD zones, and significantly for other deployment scenarios.
We are ceasing support for lwresd, and recommending that any remaining users consider adopting getdns instead.
Due to recent developments in cryptography, we will be removing the existing default signing algorithm from dnssec-keygen in BIND 9.12; users will now be required to specify signing algorithms explicitly when generating a key with this utility. We are not deprecating any supported algorithms at this time.
We hope this encourages a transition to more secure algorithms, but it will add another configuration choice for new users, and it may break scripts that currently rely on the existing default behavior. The dnssec-keymgr utility can help implement an algorithm change; update its default signing algorithm by changing the policy configuration file.
Release notes are posted next to the downloads. Below are some highlights.
ICANN is in the process of introducing a new Key Signing Key (KSK) for the global root zone. BIND has multiple methods for managing DNSSEC trust anchors, with somewhat different behaviors. If the root key is configured using the managed-keys statement, or if the pre-configured root key is enabled by using dnssec-validation auto, then BIND can keep keys up to date automatically. Servers configured in this way should have begun the process of rolling to the new key when it was published in the root zone in July 2017. However, keys configured using the trusted-keys statement are not automatically maintained. If your server is performing DNSSEC validation and is configured using trusted-keys, you are advised to change your configuration before the root zone begins signing with the new KSK. This is currently scheduled for October 11, 2017.
This release includes an updated version of the
bind.keys file containing the new root key. This file can also be downloaded from https://www.isc.org/bind-keys.
As of BIND 9.11.2, Windows XP is no longer a supported platform for BIND, and Windows XP binaries are no longer available for download from ISC.
Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at https://www.isc.org/donate/.
What's New from ISC