Release Notes for BIND Version 9.14.0rc3
Introduction
BIND 9.14.0 is the first release of a new stable branch of BIND. This
document summarizes new features and functional changes that have been
introduced, as well as features that have been deprecated or removed,
since the last stable branch, 9.12.
Please see the file CHANGES for a more detailed list of changes and bug
fixes.
Note on Version Numbering
As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
release numbering convention. BIND 9.14 contains new features added
during the BIND 9.13 development process. Henceforth, the 9.14 branch
will be limited to bug fixes and new feature development will proceed
in the unstable 9.15 branch, and so forth.
Supported Platforms
Since 9.12, BIND has undergone substantial code refactoring and
cleanup, and some very old code has been removed that was needed to
support legacy platforms which are no longer supported by their vendors
and for which ISC is no longer able to perform quality assurance
testing. Specifically, workarounds for old versions of UnixWare,
BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
On UNIX-like systems, BIND now requires support for POSIX.1c threads
(IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542),
and standard atomic operations provided by the C compiler.
More information can be found in the PLATFORM.md file that is included
in the source distribution of BIND 9. If your platform compiler and
system libraries provide the above features, BIND 9 should compile and
run. If that isn't the case, the BIND development team will generally
accept patches that add support for systems that are still supported by
their respective vendors.
As of BIND 9.14, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
cryptography library must be available for the target platform. A
PKCS#11 provider can be used instead for Public Key cryptography (i.e.,
DNSSEC signing and validation), but OpenSSL is still required for
general cryptography operations such as hashing and random number
generation.
Download
The latest versions of BIND 9 software can always be found at
http://www.isc.org/downloads/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
New Features
* Task manager and socket code have been substantially modified. The
manager uses per-cpu queues for tasks and network stack runs
multiple event loops in CPU-affinitive threads. This greatly
improves performance on large systems, especially when using
multi-queue NICs.
* Support for QNAME minimization was added and enabled by default in
relaxed mode, in which BIND will fall back to normal resolution if
the remote server returns something unexpected during the query
minimization process. This default setting might change to strict
in the future.
* A new plugin mechanism has been added to allow extension of query
processing functionality through the use of external libraries. The
new filter-aaaa.so plugin replaces the filter-aaaa feature that was
formerly implemented as a native part of BIND.
The plugin API is a work in progress and is likely to evolve as
further plugins are implemented. [GL #15]
* A new secondary zone option, mirror, enables named to serve a
transferred copy of a zone's contents without acting as an
authority for the zone. A zone must be fully validated against an
active trust anchor before it can be used as a mirror zone. DNS
responses from mirror zones do not set the AA bit ("authoritative
answer"), but do set the AD bit ("authenticated data"). This
feature is meant to facilitate deployment of a local copy of the
root zone, as described in RFC 7706. [GL #33]
* BIND now can be compiled against the libidn2 library to add
IDNA2008 support. Previously, BIND supported IDNA2003 using the
(now obsolete and unsupported) idnkit-1 library.
* named now supports the "root key sentinel" mechanism. This enables
validating resolvers to indicate which trust anchors are configured
for the root, so that information about root key rollover status
can be gathered. To disable this feature, add root-key-sentinel no;
to named.conf. [GL #37]
* The dnskey-sig-validity option allows the sig-validity-interval to
be overriden for signatures covering DNSKEY RRsets. [GL #145]
* When built on Linux, BIND now requires the libcap library to set
process privileges. The adds a new compile-time dependency, which
can be met on most Linux platforms by installing the libcap-dev or
libcap-devel package. BIND can also be built without capability
support by using configure --disable-linux-caps, at the cost of
some loss of security.
* The validate-except option specifies a list of domains beneath
which DNSSEC validation should not be performed, regardless of
whether a trust anchor has been configured above them. [GL #237]
* Two new update policy rule types have been added krb5-selfsub and
ms-selfsub which allow machines with Kerberos principals to update
the name space at or below the machine names identified in the
respective principals.
* The new configure option --enable-fips-mode can be used to make
BIND enable and enforce FIPS mode in the OpenSSL library. When
compiled with such option the BIND will refuse to run if FIPS mode
can't be enabled, thus this option must be only enabled for the
systems where FIPS mode is available.
* Two new configuration options min-cache-ttl and min-ncache-ttl has
been added to allow the BIND 9 administrator to override the
minimum TTL in the received DNS records (positive caching) and for
storing the information about non-existent records (negative
caching). The configured minimum TTL for both configuration options
cannot exceed 90 seconds.
* rndc status output now includes a reconfig/reload in progress
status line if named configuration is being reloaded.
* The new answer-cookie option, if set to no, prevents named from
returning a DNS COOKIE option to a client, even if such an option
was present in the request. This is only intended as a temporary
measure, for use when named shares an IP address with other servers
that do not yet support DNS COOKIE. A mismatch between servers on
the same address is not expected to cause operational problems, but
the option to disable COOKIE responses so that all servers have the
same behavior is provided out of an abundance of caution. DNS
COOKIE is an important security mechanism, and this option should
not be used to disable it unless absolutely necessary.
Removed Features
* Workarounds for servers that misbehave when queried with EDNS have
been removed, because these broken servers and the workarounds for
their noncompliance cause unnecessary delays, increase code
complexity, and prevent deployment of new DNS features. See
https://dnsflagday.net for further details.
In particular, resolution will no longer fall back to plain DNS
when there was no response from an authoritative server. This will
cause some domains to become non-resolvable without manual
intervention. In these cases, resolution can be restored by adding
server clauses for the offending servers, specifying edns no or
send-cookie no, depending on the specific noncompliance.
To determine which server clause to use, run the following commands
to send queries to the authoritative servers for the broken domain:
dig soa <zone> @<server> +dnssec
dig soa <zone> @<server> +dnssec +nocookie
dig soa <zone> @<server> +noedns
If the first command fails but the second succeeds, the server most
likely needs send-cookie no. If the first two fail but the third
succeeds, then the server needs EDNS to be fully disabled with edns
no.
Please contact the administrators of noncompliant domains and
encourage them to upgrade their broken DNS servers. [GL #150]
* Previously, it was possible to build BIND without thread support
for old architectures and systems without threads support. BIND now
requires threading support (either POSIX or Windows) from the
operating system, and it cannot be built without threads.
* The filter-aaaa, filter-aaaa-on-v4, and filter-aaaa-on-v6 options
have been removed from named, and can no longer be configured using
native named.conf syntax. However, loading the new filter-aaaa.so
plugin and setting its parameters provides identical functionality.
* named can no longer use the EDNS CLIENT-SUBNET option for view
selection. In its existing form, the authoritative ECS feature was
not fully RFC-compliant, and could not realistically have been
deployed in production for an authoritative server; its only
practical use was for testing and experimentation. In the interest
of code simplification, this feature has now been removed.
The ECS option is still supported in dig and mdig via the +subnet
argument, and can be parsed and logged when received by named, but
it is no longer used for ACL processing. The geoip-use-ecs option
is now obsolete; a warning will be logged if it is used in
named.conf. ecs tags in an ACL definition are also obsolete, and
will cause the configuration to fail to load if they are used. [GL
#32]
* dnssec-keygen can no longer generate HMAC keys for TSIG
authentication. Use tsig-keygen to generate these keys. [RT #46404]
* Support for OpenSSL 0.9.x has been removed. OpenSSL version 1.0.0
or greater, or LibreSSL is now required.
* The configure --enable-seccomp option, which formerly turned on
system-call filtering on Linux, has been removed. [GL #93]
* IPv4 addresses in forms other than dotted-quad are no longer
accepted in master files. [GL #13] [GL #56]
* IDNA2003 support via (bundled) idnkit-1.0 has been removed.
* The "rbtdb64" database implementation (a parallel implementation of
"rbt") has been removed. [GL #217]
* The -r randomdev option to explicitly select random device has been
removed from the ddns-confgen, rndc-confgen, nsupdate,
dnssec-confgen, and dnssec-signzone commands.
The -p option to use pseudo-random data has been removed from the
dnssec-signzone command.
* Support for the RSAMD5 algorithm has been removed freom BIND as the
usage of the RSAMD5 algorithm for DNSSEC has been deprecated in
RFC6725, the security of the MD5 algorithm has been compromised,
and its usage is considered harmful.
* Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
removed from BIND, as the algorithm has been superseded by GOST R
34.11-2012 in RFC6986 and it must not be used in new deployments.
BIND will neither create new DNSSEC keys, signatures and digests,
nor it will validate them.
* Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
BIND as the DSA key length is limited to 1024 bits and this is not
considered secure enough.
* named will no longer ignore "no-change" deltas when processing an
IXFR stream. This had previously been permitted for compatibility
with BIND 8, but now "no-change" deltas will trigger a fallback to
AXFR as the recovery mechanism.
* BIND 9 will no longer build on platforms that don't have proper
IPv6 support. BIND 9 now also requires POSIX-compatible pthread
support. Most of the platforms that lack these featuers are long
past their end-of-lifew dates, and they are neither developed nor
supported by their respective vendors.
* The incomplete support for internationalization message catalogs
has been removed from BIND. Since the internationalization was
never completed, and no localized message catalogs were ever made
available for the portions of BIND in which they could have been
used, this change will have no effect except to simplify the source
code. BIND's log messages and other output were already only
available in English.
Feature Changes
* BIND will now always use the best CSPRNG (cryptographically-secure
pseudo-random number generator) available on the platform where it
is compiled. It will use the arc4random() family of functions on
BSD operating systems, getrandom() on Linux and Solaris,
CryptGenRandom on Windows, and the selected cryptography provider
library (OpenSSL or PKCS#11) as the last resort. [GL #221]
* The default setting for dnssec-validation is now auto, which
activates DNSSEC validation using the IANA root key. (The default
can be changed back to yes, which activates DNSSEC validation only
when keys are explicitly configured in named.conf, by building BIND
with configure --disable-auto-validation.) [GL #30]
* BIND can no longer be built without DNSSEC support. A cryptography
provider (i.e., OpenSSL or a hardware service module with PKCS#11
support) must be available. [GL #244]
* Zone types primary and secondary are now available as synonyms for
master and slave, respectively, in named.conf.
* named will now log a warning if the old root DNSSEC key is
explicitly configured and has not been updated. [RT #43670]
* dig +nssearch will now list name servers that have timed out, in
addition to those that respond. [GL #64]
* Up to 64 response-policy zones are now supported by default;
previously the limit was 32. [GL #123]
* Several configuration options for time periods can now use TTL
value suffixes (for example, 2h or 1d) in addition to an integer
number of seconds. These include fstrm-set-reopen-interval,
interface-interval, max-cache-ttl, max-ncache-ttl, max-policy-ttl,
and min-update-interval. [GL #203]
* NSID logging (enabled by the request-nsid option) now has its own
nsid category, instead of using the resolver category.
* The rndc nta command could not differentiate between views of the
same name but different class; this has been corrected with the
addition of a -class option. [GL #105]
* allow-recursion-on and allow-query-cache-on each now default to the
other if only one of them is set, in order to be consistent with
the way allow-recursion and allow-query-cache work. [GL #319]
* When compiled with IDN support, the dig and nslookup commands now
disable IDN processing when the standard output is not a TTY (i.e.,
when the output is not being read by a human). When running from a
shell script, the command line options +idnin and +idnout may be
used to enable IDN processing of input and output domain names,
respectively. When running on a TTY, the +noidnin and +noidnout
options may be used to disable IDN processing of input and output
domain names.
* The configuration option max-ncache-ttl cannot exceed seven days.
Previously, larger values than this were silently lowered; now,
they trigger a configuration error.
* The new dig -r command line option disables reading of the file
$HOME/.digrc.
* Zone signing and key maintenance events are now logged to the
dnssec category rather than zone.
License
BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).
The license requires that if you make changes to BIND and distribute
them outside your organization, those changes must be published under
the same license. It does not require that you publish or disclose
anything other than the changes you have made to our software. This
requirement does not affect anyone who is using BIND, with or without
modifications, without redistributing it, nor anyone redistributing
BIND without changes.
Those wishing to discuss license compliance may contact ISC at
https://www.isc.org/mission/contact/.
End of Life
The end of life date for BIND 9.14 has not yet been determined. For
those needing long term support, the current Extended Support Version
(ESV) is BIND 9.11, which will be supported until at least December
2021. See https://www.isc.org/downloads/software-support-policy/ for
details of ISC's software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
make quality open source software, please visit our donations page at
http://www.isc.org/donate/.