BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
• 8.E.F.IP6.ARPA
• 9.E.F.IP6.ARPA
• A.E.F.IP6.ARPA
• B.E.F.IP6.ARPA
New update-policy fields added
New fields for update-policy options have been included:
• Zonesub: It matches when the name being updated is a subdomain of the zone in which the
update-policy statement appears. This obviates the need to type the zone name twice, and
enables the use of a standard update-policy statement in multiple.
• Selfsub: This rule is similar to self except that subdomains of self can also be updated.
• Selfwild: This rule is similar to self except that only subdomains of self can be updated.
• tcp-self: Allow updates that have been sent via TCP and for which the standard mapping
from the initiating IP address into the INADDR. ARPA and IP6.ARPA namespaces match the
name to be updated.
• 6to4-self: Allow the 6to4 prefix to be update by any TCP connection from the 6to4 network
or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to
be added to the reverse tree.
New algorithms support
Support for the following hashing algorithms has been added:
• HMACSHA1
• HMACSHA224
• HMACSHA256
• HMACSHA384
• HMACSHA512
Also the support for new digest algorithm SHA256 is added.
Two new DNSSEC algorithms have been supported: RSASHA256 and RSASHA512
The EDNS response / reply sizes can now be configured
New options that can be used to configure the EDNS response / reply sizes are:
• edns-udp-size: Used to configure the advertised EDNS UDP receive buffer
• max-udp-size: Used to configure the EDNS UDP response
Defaults have been changed for some configuration and binary options
• dnssec-keygen, with no arguments will now generate 1024 RSASHA1 ZSK key and with
–f KSK option it will generate 2048 RSASHA1 KSK key. It also takes the nametype as “ZONE”
by default.
• max-cache-size defaults to 0.
• max-acache-size defaults to 16M.
• The DNSSEC validation is now by default turned on.
• Nslookup, DIG and host now advertises 4096 bytes EDNS UDP buffer size, by default.
12 BIND 9.7.3 release notes