BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
1 BIND 9.7.3 release notes
This document discusses the most recent product information pertaining to Berkeley Internet Name
Domain (BIND) 9.7.3. It also discusses how to install BIND 9.7.3 on the HP-UX 11i v3 operating
systems.
Announcement
BIND is a Berkeley implementation of the Domain Name System (DNS). It is a distributed network
information lookup service that maps host names to Internet addresses, and Internet addresses to
host names. It also facilitates Internet mail routing by providing a list of hosts that accept mail for
other hosts.
BIND 9.7.3 is the latest web upgrade version of BIND. It is available for download at http://
h20293.www2.hp.com/.
What is in this version?
This version of BIND 9.7.3 for the HP-UX 11i v3 operating systems includes the following new
features. For information on the defect fixes, see “Defects fixed in this release”.
Fully automatic signing of zones by "named"
For this purpose, ‘auto-dnssec’ configuration option was introduced, which could assume two
possible values viz. allow or maintain.
With auto-dnssec allow, named can search the key directory for keys matching the zone, insert
them into the zone, and use them to sign the zone. This will be done only when “rndc sign”
command is issued.
With auto-dnssec maintain, apart from the above functionality, it automatically adjusts the zone
DNSKEY RRs according to keys’ timing metadata.
Simplified configuration of DNSSEC Lookaside Validation (DLV)
A new configuration settingauto was added for the dnssec-lookaside option. This enables
DLV by using the dlv.isc.org repository and provides a built-in trusted key for it. The hard-coded
trusted key can be overridden by placing a different key in a file named bind.keys.
Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local” update-policy option (As a side effect,
this also makes it easier to configure automatic zone re-signing)
Like for RNDC rndc-confgen simplifies remote name server controlling, ddns-confgen simplifies
similarly for DDNS.
A new update-policy of local is introduced, which when set allows for automatic generation of a
session-key which is placed at /var/run/named/. This session key is utilized when dynamically
updating the zone locally. This local update can be performed simply be a new option ‘-l’ to
nsupdate.
New named option "attach-cache" that allows multiple views to share a
single cache
By default, each view has its own cache. It was observed that if several views have the same
policies, the cache of these views can be shared which would save memory by reducing redundant
cache entries.
6 BIND 9.7.3 release notes