BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
For this purpose the ‘attach-cache’ option was introduced in named.conf which takes the
cache_name as value. The cache name is the name of the first view whose cache needs to be
shared.
DNS rebinding attack prevention
In the DNS rebinding attack, the embedded web code (responsible for fetching web content) of a
malicious webpage queries the attackers DNS server for a domain that resolves to an IP address
internal to the victim’s domain. The resolved IP address could be the IP address of a machine that
stores sensitive data. The attack enables the attacker to bypass the firewall security.
To prevent this attack, BIND 9.7 introduces two new options which are deny-answer-addresses
and deny-answer-aliases with an except-from exclusion list.
deny-answer-addresses discards any response that resolves to an IP address which matches
the address-match-list specified and deny-answer-aliases discards if the name-list specified by it
matches any CNAME or DNAME alias in the response.
New default values for dnssec-keygen parameters
Without arguments, dnssec-keygen will now generate a 1024-bit RSASHA1 zone-signing
key, or with the -f KSK option, a 2048-bit RSASHA1 key-signing key.
Support for RFC 5011 automated trust anchor maintenance
BIND-9.7 allows named to keep track of changes to critical DNSSEC keys without any need for
the operator to make changes to configuration files. For this, managed-keys statement was
introduced in named.conf.
Prior to BIND 9.7, trust –anchors had to be maintained manually, which has risk in the scenario
when the zones KSK are compromised. In this case the zone operator would immediately replace
the existing KSK with a new one. This resolver still has the old KSK as trust anchor, which would
result in all of its queries for the secure domain to fail with SERVFAIL. This would continue until the
trust anchor is updated.
But with RFC 5011 support, the resolver would monitor the trust anchors for new additions of trust
anchors. A new trust-anchor would indicate the wish of the zone operator to change the current
trust-anchor. This would be noted by the resolver and when the original trust-anchor is revoked,
named smoothly transitions to the new trust-anchors, thus avoiding SERVFAIL. All this can be availed
simply by mentioning the zones name in managed-keys statement.
Smart signing: simplified tools for zone signing and key maintenance
Using this feature it is not required to manually insert the public keys into the zone files. The
‘dnssec-signzone –S’ now analyses the key timing metadata and takes decisions what to do
with the keys. The action could be to publish / sign with / revoke / delete.
After revoking an active key, the zone must be signed with both the revoked KSK and the new
active KSK. (Smart signing takes care of this automatically)
Named and other binaries can now print out a stack backtrace on assertion
failure, to aid in debugging
named and other BIND executables will log or print out a stack backtrace on assertion failures.
This can be used in debugging issues with the BIND code.
Full NSEC3 support
The drawback of NSEC was that its proof of non-existence would reveal the zone names which
allowed for zone enumeration. The technique to prevent is called NSEC3. In this the domain names
DNS rebinding attack prevention 7