BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
HP specific changes
JAGaf74567 : Add an Option statement to disable the EDNS feature on BIND9.
JAGaf74389 : DNS does not check for symbolic links.
JAGaf73027 : OpenSSL stub library and code changes for BIND-9.3.
JAGaf74395 : DNS does not check if dynamic DNS log files are linked. This is similar to
JAGaf74389 but checks for journal files.
JAGaf73245 : DoCoMo Performance changes on 11.11.
QXCR1000791343 build 64-bit named binary
JAGag41036 : named(1M) fails with an "out of memory" error message if the size of the cache
memory exceeds 1 GB.
Defects for which fixes were ported from ISC:
QXCR1000952300 The named daemon does not behave as expected for certain messages.
QXCR1000991848 The nameserver caches invalid responses from the additional section of the
response packet while processing recursive client queries.
QXCR1001009615 The nameserver sometimes returns invalid CNAME or DNAME responses
QXCR1001004094 The nameserver sometime returns invalid NXDOMAIN responses.
QXCR1000848700 Some DNS responses arriving at the host are not being delivered to the
/usr/sbin/named process but instead are directed to other processes running on the same host.
QXCR1000879111 The TCP accept() call fails to create the new connection socket and logs one
of the following errors:
internal accept: accept() failed: Too many open files internal_accept: fcntl() failed: Too many open
files
QXCR1000848714 The closure criteria for sockets lead to inconsistent states in the socket module.
QXCR1000886576 Using the rrset-order option with value fixed in the /etc/named.conf file displays
the following error message: rrset-order: order 'fixed' not fully implemented.
QXCR1000893386 The return values from the OpenSSL library functions are not checked properly
in DNS code.
QXCR1000924015 "DNSSEC Lookaside Validation (DLV) processing does not handle unknown
signature algorithms correctly."
QXCR1000841386 "The local IPv6 unicast addresses, such as fd00:: /7, are forwarded to the
root server for resolution."
QXCR1000821672 Forgery resilience needs more improvements.
QXCR1000577501 The rndc(1) recursing output file named.recursing contains old data.
QXCR1000791343 named(1M) fails with an out of memory error message.
JAGag45362 Query ID generation is cryptographically weak.
JAGag32951 named(1M) does not handle queries of type ANY properly.
JAGag32950 named (1M) unexpectedly aborts under certain circumstances.
QXCR1001231524 Handling of zero length rdata cause named to terminate unexpectedly in
BIND9.7.3
QXCR1001230666 Heavy DNSSEC Validation Load Can Cause an Assertion Failure in BIND9.7
QXCR1001241557 RDATA in excess of 65535 bytes cause named to exit in BIND 9.7.3
18 BIND 9.7.3 release notes