Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
BIND 9.9 is a new release of the gold standard for DNS servers on the Internet. It builds on a tried and trusted platform that has been evolving and maturing over more than 10 years and has kept adding new powerful and useful features with each new release.
In BIND 9.9 we have introduced several new features that can make a difference to how you operate your DNS service, no matter what size of an installation you have. Here is a brief rundown of why you should care about this new version:
BIND 9.9 improves performance in two main areas:
Re/Start speed. If you have lots of zones, you will see speedups in start/reconfig/reload times between 3x-20x.
Better I/O. When using a multithreaded build of BIND9.9 on a multicore machine, the work we have done on I/O optimisation will get you better performance for DNS query handling. You get this improvement automatically if you are using threads. To find out if you are, and a few more details about what is behind this, have a look at ISC’s Knowledgebase article at Performance: Multi-threaded I/O.
Trying to do DNSSEC but want to minimise changes?
If you have been thinking about deploying DNSSEC in your authoritative server but found it would change your established workflow too much, we have good news. BIND 9.9 introduces a feature called inline signing. This allows you to drop a BIND 9.9 nameserver at any place in your DNS publication workflow to get your zones signed without having to change things that are already in place. It works by having BIND transfer in and unsigned copy of your DNS zones, handle the signing in a single spot, and make available a signed copy of the zone out the other end. If you drop this between your zone generation process and your current nameservers, it allows for transparent signing by just inserting this one additional step, rather than modifying what you already have. You can look at a few useful examples in ISC’s Knowledgebase at Inline Signing in ISC BIND 9.9.0 – Examples.
Redirection of non-existing names
With the pressure on revenue that everyone is seeing these days, ISPs have been resorting to the use of redirection of DNS queries that return non-existent domains to some ISP-defined user help information. While we understand the desire for this feature, ISC also firmly believes in the need for DNSSEC as a way to provide users with protection online. In that spirit our NXDOMAIN redirection implementation allows ISPs to implement their business models but preservers the integrity of DNSSEC-enabled users by disabling NXDOMAIN redirection if the user requests DNSSEC validation for DNSSEC-signed data.
What's New from ISC