BIND 9.7.
© Copyright 2003, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle......................................................................5 1 BIND 9.7.3 release notes.............................................................................6 Announcement.........................................................................................................................6 What is in this version?.............................................................................................................
New binaries have been added...............................................................................................13 Changed features...................................................................................................................14 Installing BIND 9.7.3...............................................................................................................14 Prerequisites........................................................................................................
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
1 BIND 9.7.3 release notes This document discusses the most recent product information pertaining to Berkeley Internet Name Domain (BIND) 9.7.3. It also discusses how to install BIND 9.7.3 on the HP-UX 11i v3 operating systems. Announcement BIND is a Berkeley implementation of the Domain Name System (DNS). It is a distributed network information lookup service that maps host names to Internet addresses, and Internet addresses to host names.
For this purpose the ‘attach-cache’ option was introduced in named.conf which takes the cache_name as value. The cache name is the name of the first view whose cache needs to be shared. DNS rebinding attack prevention In the DNS rebinding attack, the embedded web code (responsible for fetching web content) of a malicious webpage queries the attackers DNS server for a domain that resolves to an IP address internal to the victim’s domain.
are presented in the form of their hashes. This prevented the zone information to leak. The client would itself generate a hash of the QNAME and would verify using the hashes in the proof. NSEC3 requires more computation than NSEC, and hence is recommended to be used only if zone enumeration is a real concern. BIND 9.7 has provided facilities for a signed zone with NSEC chain to be converted to NSEC3 chain and vice versa.
Default PID file location he default location for PID files changed from /var/run/named.pid to /var/run/named/named.pid and /var/run/lwresd/lwresd.pid for improved chroot/setuid support. This allows the owner of the containing directory to be set, for "named -u" support, and allows there to be a permanent symbolic link in the path, for "named -t" support. Default TTL with nsupdate New command ‘ttl’ has been introduced in nsupdate to set the default value for all updates.
Convenient syntax for already existing options like query-source, server statement in rndc.conf The syntax of notify-source for specifying the IP-address and port number can also be used now for query-source. New acl option “allow-query-cache” New configuration option allow-query-cache is introduced to control answers to be provided from the cache. In the previous version of BIND, BIND 9.3.2 by-default the access to the server’s cache is available to all clients.
UNIX domain controls channel are now supported Unix domain controls channel that were present in BIND 8 are now supported again. Using this feature local control of nameserver can be done. The same task can be performed with the inet channel. Introduction of new zonefile format to enhance loading performance A new zone file format has been introduced in BIND 9.7.3; it is called as the “raw” format. This is the binary format representing the BIND’s internal data structure.
• 8.E.F.IP6.ARPA • 9.E.F.IP6.ARPA • A.E.F.IP6.ARPA • B.E.F.IP6.ARPA New update-policy fields added New fields for update-policy options have been included: • Zonesub: It matches when the name being updated is a subdomain of the zone in which the update-policy statement appears. This obviates the need to type the zone name twice, and enables the use of a standard update-policy statement in multiple. • Selfsub: This rule is similar to self except that subdomains of self can also be updated.
DNSSEC validation is set by default and can be unset explicitly Previously, in BIND-9.7.3, the validation would turn on when the trusted-key directive was present on the named.conf. Now, we can explicitly mention if the validation should be on/off using the dnssec-validation global option.
patch to be installed. But we will keep it since if some machine does not have this patch it can still do DNSSEC. • arpaname: translate IP addresses to the corresponding ARPA names. Changed features The following are the changed features in BIND 9.7.3: • The default value of dnssec-enable configuration parameter in named.conf has been set to yes, earlier it was set to no. • Default named.pid location has been changed, in source, to /var/run/named/named.pid. Earlier, it was /var/run/named.pid.
12. To verify that the BIND 9.7.3 depot is downloaded properly in the local directory, enter the following HP-UX MD5 Secure Checksum command at the HP-UX prompt: # md5sum The result of this command must match the fingerprint provided in the Electronic Delivery Receipt. If the result does not match, download the BIND 9.7.3 depot again. NOTE: The HP-UX MD5 Secure Checksum software is not installed by default on the system. It is available at: http://h20293.www2.hp.com/ 13. To install the BIND 9.
Related information The following sections discuss the documentation available for BIND 9.7.3 Manpages Table 2 (page 16) describes the manpages distributed with the BIND 9.7.3 depot. Table 2 BIND 9.7.3 Manpage Manpage Description arpaname(1) Utility to translate IP addresses (IPv4 and IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names. ddns-confgen(1) Tool to generate a key for use by nsupdate and named. dnssec-dsfromkey(1) DNSSEC DS RR generation tool.
Product documentation For more information on configuring and administering BIND, see the HP-UX IP Address and Client Management Services Administrator’s Guide at http://www.hp.com/go/hpux-networking-docs. Defects fixed in this release This section discusses the defects fixed in the HP-UX 11i v3 Defects fixed in the HP-UX 11i v3 operating system Table 3 Defects Fixed in the HP-UX 11i v3 Operating System Identifier Description Defects fixed in BIND 9.7.3 (C.9.7.3.4.
HP specific changes JAGaf74567 : Add an Option statement to disable the EDNS feature on BIND9. JAGaf74389 : DNS does not check for symbolic links. JAGaf73027 : OpenSSL stub library and code changes for BIND-9.3. JAGaf74395 : DNS does not check if dynamic DNS log files are linked. This is similar to JAGaf74389 but checks for journal files. JAGaf73245 : DoCoMo Performance changes on 11.11.
New deliverables in BIND 9.7.3 and their locations The following binaries have been added newly in BIND 9.7.3. See individual manpages for more information. Binaries /usr/sbin: • dnssec-dsfromkey • dnssec-revoke • dnssec-settime • arpaname • named-journalprint • nsec3hash • genrandom • isc-hmac-fixup • ddns-confgen New deliverables in BIND 9.7.
