BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
DNSSEC validation is set by default and can be unset explicitly
Previously, in BIND-9.7.3, the validation would turn on when the trusted-key directive was present
on the named.conf. Now, we can explicitly mention if the validation should be on/off using the
dnssec-validation global option.
SPF (Sender Policy Framework) support
The design intent of the SPF record is to allow a receiving MTA (Message Transfer Agent) to
interrogate the Name Server of the domain which appears in the email (the sender) and determine
if the originating IP of the mail (the source) is authorized to send mail for the sender's domain. The
mail sender is required to publish an SPF RR.
Support for new resource records
The following is the new resource records which BIND 9.7 supports:
• IPSECKEY RR (RFC 4025): Provides a method for storing IPsec keying material in DNS. It also
suggests the host about the gateway information.
• DHCID RR (RFC 4701): Using this resource record one can identify the DHCP client associated
with a particular hostname.
• A (address) RR for CH Class. Used for BIND’s built-in server information zones, e.g.,
version.bind.
New binaries have been added
Most of them are tools for simplifying DNSSEC key management and others were introduced to
support new features in BIND 9.7. They include:
• ddns-confgen: Like rndc-confgen simplifies the configuration required for ‘rndc’ by generating
rndc.conf in a ready-to-use format, ddns-confgen simplifies DDNS (Dynamic DNS) by generating
configuration ready-to-use by nsupdate.
• named-compilezone: This is used to take zonefile in text format and output it in ‘raw’
format, which is the memory dump of the zonefile. The zonefile in this format can be loaded
into memory directly, thus improving zone load performance.
• named-journalprint: Print the journal form in text format. Previously the journal file could
not be read since it was in binary (‘raw’) format.
• isc-hmac-fixup: Fixes HMAC keys generated by older versions of BIND. Due to a bug in
BIND that caused TSIG keys which were longer than the digest length of the hash algorithm
to generate incorrect MAC codes which was incompatible with other DNS implementations.
For BIND 9.7, this bug has been corrected . In our case BIND 9.3.2 and BIND 9.2.0 HPUX
BIND users are affected.
• nsec3hash : generate NSEC3 hash.
• dnssec-revoke: Set the REVOKED bit on a DNSSEC key. This simplifies DNSSEC key
management in the sense that it also generates new keys after revoking the specified key.
• dnssec-settime : Set the key timing metadata for a DNSSEC key. The ability to change
the meta.
• dnssec-dsfromkey : Used to generate DS records from the DNSKEY contained in existing
keyset or key files.
This tool can also be used to generate the DS RR from the root’s KSK. The hash in the DS RR
can then be compared with the hash published at ITAR as a part of offline verification to
facilitate further DNSSEC operations.
• genrandom: Generates files containing pseudo-random data. This binary is actually not
required for HPUX since it has its random device (/dev/random) which requires the KRNG
DNSSEC validation is set by default and can be unset explicitly 13