BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
Convenient syntax for already existing options like query-source, server
statement in rndc.conf
The syntax of notify-source for specifying the IP-address and port number can also be used now
for query-source.
New acl option “allow-query-cache”
New configuration option allow-query-cache is introduced to control answers to be provided
from the cache. In the previous version of BIND, BIND 9.3.2 by-default the access to the server’s
cache is available to all clients. But after the introduction of this option, the default behavior is to
restrict access to all clients. To switch on the default behavior as of BIND-9.3.2,
allow-query-cache any ; must be included in the global option statement.
Additional fields for already existing options like ixfr-from-differences
Configuration option ixfr-from-differences takes two new fields master and slave to
provided access for all masters and all slaves respectively, for using this feature. This can be set
at the view level.
Journal file names are configurable
New zone options journal is introduced in the zone statement, which can determine the filename
suffix for the journal file. Previously, it used to be “jnl” by default.
New control options for rndc like notify, sign, validation and querylog
The above new options have the following functionality:
• notify: Sends a NOTIFY signal to a particular zone.
• sign: If auto-dnssec options is enabled (i.e. not “off”). When nameserver is given this
control command, it searches the key-directory for new keys and if found resigns the zone.
• validation: Using this command DNSSEC validation can be enabled / disabled on the
fly.
• querylog: Used to enable / disable query logging on the fly.
Error messages are now more informative
The error messages in BIND 9.7.3 have been made more informative which helps to understand
the error more clearly.
Scope of some ACL (e.g. allow-update) was changed in named.conf.
In BIND 9.3, allow-update can only be set in the zone statement. In BIND 9.7.3, allow-update
can be set in the options and the view level.
New options to control behavior of DNS NOTIFY
The new options introduced for this purpose are:
• notify-delay: The delay between consecutive NOTIFY message can now be controlled
with this option
• notify master-only: New field master-only for the NOTIFY options was introduced. With
this option set, the server will send the NOTIFY message for only the master zones.
• notify-to-soa: If yes do not check the nameservers in the NS RRset against the SOA
MNAME.
10 BIND 9.7.3 release notes