BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
UNIX domain controls channel are now supported
Unix domain controls channel that were present in BIND 8 are now supported again. Using this
feature local control of nameserver can be done. The same task can be performed with the inet
channel.
Introduction of new zonefile format to enhance loading performance
A new zone file format has been introduced in BIND 9.7.3; it is called as the “raw” format. This
is the binary format representing the BIND’s internal data structure. Thus time required for loading
the zone file into the nameserver’s memory has been reduced.
New option like masterfile-format and a new binary named-compilezone was introduced
for the same. masterfile-format specifies the format of the BIND’s database file
andnamed-compilezone is a tool to convert the zone file in one format to another.
There could be other format but presently only the “raw” format is supported.
Extended post zone load checks. New configuration options for same
Perform post load zone integrity checks on master zones. This checks that MX and SRV records
refer to address (A or AAAA) records and that glue address records exist for delegated zones.
Dig now has new options
The new options are showsearch, edns and nsid. Also –m and –q options have been
introduced.
Recursive clients for same query can now be controlled with new
configuration options
The new configuration options are :
• recursive-clients: To specify the maximum number of simultaneous recursive lookups
the server will perform on behalf of clients.
• clients-per-query: To specify the minimum value of simultaneous recursive queries for
the same question
• max-clients-per-query: To specify the maximum value of simultaneous recursive queries
for the same question.
Automatic empty zone are now fully covered as mentioned in RFC 1918
zones
The empty zones were introduced in BIND 9.4, but were back ported to HPUX BIND 9.7.3.
The RFC 1918 had mentioned a set of empty zones, but out of them only one (D.F.IP6.ARPA)
was enabled due to compatibility issues. In BIND 9.7, all those zones have been enabled.
New empty zones added are:
• 0.IN-ADDR.ARPA
• 127.IN-ADDR.ARPA
• 254.169.IN-ADDR.ARPA
• 2.0.192.IN-ADDR.ARPA
• 255.255.255.255.IN-ADDR.ARPA
• 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
• 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
UNIX domain controls channel are now supported 11