BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
Product documentation
For more information on configuring and administering BIND, see the HP-UX IP Address and Client
Management Services Administrator’s Guide at
http://www.hp.com/go/hpux-networking-docs.
Defects fixed in this release
This section discusses the defects fixed in the HP-UX 11i v3
Defects fixed in the HP-UX 11i v3 operating system
Table 3 Defects Fixed in the HP-UX 11i v3 Operating System
DescriptionIdentifier
Defects fixed in BIND 9.7.3 (C.9.7.3.4.0)
CVE-2014-0591: BIND crashes with an INSIST failure in named.c due to a defect
in handling queries for NSEC3 signed zones.QXCR1001328817
HP-UX: The named.64 daemon core dumps when DNSSEC is enabled.QXCR1001313373
The rrset-order fixed option does not work in 9.7.3.
QXCR1001317743
The named daemon fails in zone.c:9172:
INSIST(((zone)->locked)))failed.
QXCR1001316402
There is unacceptable performance degradation of hosts_to_named.
QXCR1001324362
The hosts_to_named(1M) script returns exit code 0 even when the script fails.
QXCR1001063512
Defects fixed in BIND 9.7.3 (C.9.7.3.3.0)
CVE-2013-4854: A specially crafted query that includes malformed rdata can
terminate named(1M) with an assertion failure while rejecting that query.QXCR1001299199
Defects fixed in BIND 9.7.3 (C.9.7.3.2.0)
CVE-2013-2266: A maliciously crafted regular expression can cause Memory
Exhaustion in named(1M).QXCR1001275143
Defects fixed in BIND 9.7.3 (C.9.7.3.1.0)
It is a design limitation in named(1M) due to which the information can be prolonged
in the cache beyond the period supposedly allowed by the TTL value, causing
named(1M) to potentially return incorrect answers.QXCR1001248763
It is a limitation in control scripts of named(1M) due to which named.64 is not getting
killed.QXCR1001252456
DescriptionIdentifier
Defects fixed in BIND 9.7.3 (C.9.7.3.0.0)
BIND 9.3.2 lack features, especially enhanced DNSSEC features.QXCR1001064555
Heavy DNSSEC validation load causes a "Bad Cache" assertion failure.QXCR1001230666
Incorrect data handling causes named to terminate unexpectedly.QXCR1001231524
If a record with RDATA in excess of 65535 bytes is loaded into a nameserver, a
subsequent query for that record will cause named(1M) to exit. It was a design
limitation in named(1M) for handling a query in such scenario.QXCR1001248763
The named(1M) hangs by not responding to any queries or control commands. The
specific combinations of RDATA are loaded through cache/authoritative zone to
named(1M) and a subsequent query is made.QXCR1001243950
Product documentation 17