Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
New releases of BIND are available for download from our downloads page.
BIND 9.11.16 and 9.14.11 are maintenance release versions of the existing 9.11 (ESV) and 9.14 release branches and contain the usual assortment of bug fixes and minor feature improvements. We plan to continue maintaining 9.11, which is our current Extended Support Version, through 2020, with security fixes through 2021. 9.16 replaces 9.14 as the new stable version. We had planned to EOL 9.14 at the end of Q1 2020, but we will extend that enough to allow a 3-month transition period for our users. During this time we will backport and issue security fixes as required. If you are running 9.14.x, we recommend you begin planning your migration to 9.16 now, and complete it within about 3 months. To review our published release plan, see this Knowledgebase article.
The bigger news in today’s set of releases is the release of BIND 9.16.0: the code refactoring, new features, and performance work which were done for the 9.15 experimental branch are now considered complete and stable enough to be moved to a production branch of BIND, capping major changes to that work and moving it to the new stable branch. Evan Hunt, one of the Senior Developers on the BIND 9 project, spoke about the refactoring effort at a recent conference. BIND 9.16 will be an especially long-lived version. Our plan is to declare 9.16 as our next Extended Support Version, after it has been in the field for a while.
Significant work included in the 9.16 branch includes:
The new Key and Signing Policy (KASP) feature provides simplified DNSSEC key and signing management using policies defined by the “dnssec-policy” statement. We hope this tool will significantly facilitate ongoing key and signing maintenance. Use of this tool will be covered in our 10-webinar series on DNSSEC with BIND 9.
BIND’s networking system has been substantially reworked. This does not have user-visible impact yet, but subsequent releases and features will benefit from this change. In particular, we expect to realize significant performance improvements in the 9.16 branch.
The way that DNSSEC trust anchors are managed has been improved. Please note the updated CLI for this.
DLV (Domain Look-aside Verification) has been deprecated since BIND 9.12. dlv.isc.org (the main service used by those previously relying on DLV, operated by ISC) was turned off in 2017. Support for DLV has now been removed from BIND 9 completely, shortening BIND’s validator by hundreds of lines of code and greatly reducing its complexity. Removing this feature required a multi-year process of notification, working with partners, and gradual deprecation to avoid disruption in the DNS.
Read more about these new editions of BIND in their release notes:
What's New from ISC