Release Notes for BIND Version 9.13.2

Introduction

   BIND 9.13 is an unstable development release of BIND. This document
   summarizes new features and functional changes that have been
   introduced on this branch. With each development release leading up to
   the stable BIND 9.14 release, this document will be updated with
   additional features added and bugs fixed.

Note on Version Numbering

   Prior to BIND 9.13, new feature development releases were tagged as
   "alpha" and "beta", leading up to the first stable release for a given
   development branch, which always ended in ".0".

   Now, however, BIND has adopted the "odd-unstable/even-stable" release
   numbering convention. There will be no "alpha" or "beta" releases in
   the 9.13 branch, only increasing version numbers. So, for example, what
   would previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so
   on, will instead be called 9.13.0, 9.13.1, 9.13.2, etc.

   The first stable release from this development branch will be renamed
   as 9.14.0. Thereafter, maintenance releases will continue on the 9.14
   branch, while unstable feature development proceeds in 9.15.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

Security Fixes

     * When recursion is enabled but the allow-recursion and
       allow-query-cache ACLs are not specified, they should be limited to
       local networks, but they were inadvertently set to match the
       default allow-query, thus allowing remote queries. This flaw is
       disclosed in CVE-2018-5738. [GL #309]

New Features

     * A new secondary zone option, mirror, enables named to serve a
       transferred copy of a zone's contents without acting as an
       authority for the zone. A zone must be fully validated against an
       active trust anchor before it can be used as a mirror zone. DNS
       responses from mirror zones do not set the AA bit ("authoritative
       answer"), but do set the AD bit ("authenticated data"). This
       feature is meant to facilitate deployment of a local copy of the
       root zone, as described in RFC 7706. [GL #33]
     * BIND now can be compiled against the libidn2 library to add
       IDNA2008 support. Previously, BIND supported IDNA2003 using the
       (now obsolete and unsupported) idnkit-1 library.
     * named now supports the "root key sentinel" mechanism. This enables
       validating resolvers to indicate which trust anchors are configured
       for the root, so that information about root key rollover status
       can be gathered. To disable this feature, add root-key-sentinel no;
       to named.conf. [GL #37]
     * The dnskey-sig-validity option allows the sig-validity-interval to
       be overriden for signatures covering DNSKEY RRsets. [GL #145]
     * Support for QNAME minimization was added and enabled by default in
       relaxed mode, in which BIND will fall back to normal resolution if
       the remote server returns something unexpected during the query
       minimization process. This default setting might change to strict
       in the future.
     * When built on Linux, BIND now requires the libcap library to set
       process privileges. The adds a new compile-time dependency, which
       can be met on most Linux platforms by installing the libcap-dev or
       libcap-devel package. BIND can also be built without capability
       support by using configure --disable-linux-caps, at the cost of
       some loss of security.

Removed Features

     * named can no longer use the EDNS CLIENT-SUBNET option for view
       selection. In its existing form, the authoritative ECS feature was
       not fully RFC-compliant, and could not realistically have been
       deployed in production for an authoritative server; its only
       practical use was for testing and experimentation. In the interest
       of code simplification, this feature has now been removed.
       The ECS option is still supported in dig and mdig via the +subnet
       argument, and can be parsed and logged when received by named, but
       it is no longer used for ACL processing. The geoip-use-ecs option
       is now obsolete; a warning will be logged if it is used in
       named.conf. ecs tags in an ACL definition are also obsolete, and
       will cause the configuration to fail to load if they are used. [GL
       #32]
     * dnssec-keygen can no longer generate HMAC keys for TSIG
       authentication. Use tsig-keygen to generate these keys. [RT #46404]
     * Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0
       or greater, or LibreSSL is now required.
     * The configure --enable-seccomp option, which formerly turned on
       system-call filtering on Linux, has been removed. [GL #93]
     * IPv4 addresses in forms other than dotted-quad are no longer
       accepted in master files. [GL #13] [GL #56]
     * IDNA2003 support via (bundled) idnkit-1.0 has been removed.
     * The "rbtdb64" database implementation (a parallel implementation of
       "rbt") has been removed. [GL #217]
     * The -r randomdev option to explicitly select random device has been
       removed from the ddns-confgen, rndc-confgen, nsupdate,
       dnssec-confgen, and dnssec-signzone commands.
       The -p option to use pseudo-random data has been removed from the
       dnssec-signzone command.
     * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed
       from BIND as the algorithm has been superseded by GOST R 34.11-2012
       in RFC6986 and it must not be used in new deployments. BIND will
       neither create new DNSSEC keys, signatures and digest, nor it will
       validate them.
     * Add the ability to not return a DNS COOKIE option when one is
       present in the request. To prevent a cookie being returned add
       'answer-cookie no;' to named.conf. [GL #173]
       answer-cookie is only intended as a temporary measure, for use when
       named shares an IP address with other servers that do not yet
       support DNS COOKIE. A mismatch between servers on the same address
       is not expected to cause operational problems, but the option to
       disable COOKIE responses so that all servers have the same behavior
       is provided out of an abundance of caution. DNS COOKIE is an
       important security mechanism, and should not be disabled unless
       absolutely necessary.

Feature Changes

     * BIND will now always use the best CSPRNG (cryptographically-secure
       pseudo-random number generator) available on the platform where it
       is compiled. It will use arc4random() family of functions on BSD
       operating systems, getrandom() on Linux and Solaris, CryptGenRandom
       on Windows, and the selected cryptography provider library (OpenSSL
       or PKCS#11) as the last resort. [GL #221]
     * The default setting for dnssec-validation is now auto, which
       activates DNSSEC validation using the IANA root key. (The default
       can be changed back to yes, which activates DNSSEC validation only
       when keys are explicitly configured in named.conf, by building BIND
       with configure --disable-auto-validation.) [GL #30]
     * BIND can no longer be built without DNSSEC support. A cryptography
       provder (i.e., OpenSSL or a hardware service module with PKCS#11
       support) must be available. [GL #244]
     * Zone types primary and secondary are now available as synonyms for
       master and slave, respectively, in named.conf.
     * named will now log a warning if the old root DNSSEC key is
       explicitly configured and has not been updated. [RT #43670]
     * dig +nssearch will now list name servers that have timed out, in
       addition to those that respond. [GL #64]
     * dig +noidnin can be used to disable IDN processing on the input
       domain name, when BIND is compiled with IDN support.
     * Up to 64 response-policy zones are now supported by default;
       previously the limit was 32. [GL #123]
     * Several configuration options for time periods can now use TTL
       value suffixes (for example, 2h or 1d) in addition to an integer
       number of seconds. These include fstrm-set-reopen-interval,
       interface-interval, max-cache-ttl, max-ncache-ttl, max-policy-ttl,
       and min-update-interval. [GL #203]
     * NSID logging (enabled by the request-nsid option) now has its own
       nsid category, instead of using the resolver category.

Bug Fixes

     * named now rejects excessively large incremental (IXFR) zone
       transfers in order to prevent possible corruption of journal files
       which could cause named to abort when loading zones. [GL #339]

License

   BIND is open source software licenced under the terms of the Mozilla
   Public License, version 2.0 (see the LICENSE file for the full text).

   The license requires that if you make changes to BIND and distribute
   them outside your organization, those changes must be published under
   the same license. It does not require that you publish or disclose
   anything other than the changes you have made to our software. This
   requirement does not affect anyone who is using BIND, with or without
   modifications, without redistributing it, nor anyone redistributing
   BIND without changes.

   Those wishing to discuss license compliance may contact ISC at
   https://www.isc.org/mission/contact/.

End of Life

   BIND 9.13 is an unstable development branch. When its development is
   complete, it will be renamed to BIND 9.14, which will be a stable
   branch.

   The end of life date for BIND 9.14 has not yet been determined. For
   those needing long term support, the current Extended Support Version
   (ESV) is BIND 9.11, which will be supported until at least December
   2021. See https://www.isc.org/downloads/software-support-policy/ for
   details of ISC's software support policy.

Thank You

   Thank you to everyone who assisted us in making this release possible.
   If you would like to contribute to ISC to assist us in continuing to
   make quality open source software, please visit our donations page at
   http://www.isc.org/donate/.