BIND 9.7.3 Release Notes HP-UX 11i v3 (761997-001, January 2014)
Table Of Contents
- BIND 9.7.3 Release Notes
- Contents
- HP secure development lifecycle
- 1 BIND 9.7.3 release notes
- Announcement
- What is in this version?
- Fully automatic signing of zones by "named"
- Simplified configuration of DNSSEC Lookaside Validation (DLV)
- Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local” update-policy option (As a side effect, this also makes it easier to configure automatic zone re-signing)
- New named option "attach-cache" that allows multiple views to share a single cache
- DNS rebinding attack prevention
- New default values for dnssec-keygen parameters
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key maintenance
- Named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging
- Full NSEC3 support
- Automatic zone re-signing
- Default PID file location
- Default TTL with nsupdate
- Randomize server selection on queries
- Specify max sockets on named command line
- GSS-TSIG support (RFC 3645)
- More detailed statistics counters
- Faster ACL processing and efficient LRU cache cleaning mechanism
- NSID support (RFC 5001)
- Implementation of "additional section caching"
- Convenient syntax for already existing options like query-source, server statement in rndc.conf
- New acl option “allow-query-cache”
- Additional fields for already existing options like ixfr-from-differences
- Journal file names are configurable
- New control options for rndc like notify, sign, validation and querylog
- Error messages are now more informative
- Scope of some ACL (e.g. allow-update) was changed in named.conf.
- New options to control behavior of DNS NOTIFY
- UNIX domain controls channel are now supported
- Introduction of new zonefile format to enhance loading performance
- Extended post zone load checks. New configuration options for same
- Dig now has new options
- Recursive clients for same query can now be controlled with new configuration options
- Automatic empty zone are now fully covered as mentioned in RFC 1918 zones
- New update-policy fields added
- New algorithms support
- The EDNS response / reply sizes can now be configured
- Defaults have been changed for some configuration and binary options
- DNSSEC validation is set by default and can be unset explicitly
- SPF (Sender Policy Framework) support
- Support for new resource records
- New binaries have been added
- Changed features
- Installing BIND 9.7.3
- Prerequisites
- Installation instructions
- Verifying the BIND 9.7.3 installation
- Unsupported features
- Known problems
- Related information
- Manpages
- Product documentation
- Defects fixed in this release
- Defects fixed in the HP-UX 11i v3 operating system
- HP specific changes
- Defects for which fixes were ported from ISC:
- New deliverables in BIND 9.7.3 and their locations
are presented in the form of their hashes. This prevented the zone information to leak. The client
would itself generate a hash of the QNAME and would verify using the hashes in the proof.
NSEC3 requires more computation than NSEC, and hence is recommended to be used only if
zone enumeration is a real concern.
BIND 9.7 has provided facilities for a signed zone with NSEC chain to be converted to NSEC3
chain and vice versa.
Generating NSEC3 chain
Convenient methods have been provided to sign using NSEC3 algorithm:
• dnssec-signzone takes a –u option to convert an NSEC signed zone to NSEC3 and vice
versa,
• Dynamically add an NSEC3PARAM (new record introduced to facilitate NSEC3 chain
generation, on the fly) record. When the BIND 9.7 name server finds this record for a secure
zone it will generate the NSEC3 chain. The NSEC chain will be replaced only after the
generation is complete.
New record for NSEC3
New private-type records are introduced that communicates the state of the NSEC3 signing process.
By default its name is TYPE65534. This is a temporary record and is planned to be released in
the future versions when a standard is proposed for the same. New option sig-signing-type
is introduced to specify private RDATA type.
The data field contained in this record is a 5 octet number that has the following format:
Table 1
0000ECF705
complete flag (octet
5)
removal flag (octet
4)
key id in network
(octet 2 and 3)
algorithm (octet 1)
Documented interpretations of the octet values
• When signing is complete, these records will have a nonzero value for the final octet.
• If the first octet is zero then the record indicates changes to the NSEC3 chains are in
progress.
NOTE: Chains can be converted from NSEC3 to NSEC for secure zones that are generated
using NSEC3-compatible algorithms. RSASHA1 that is the default algorithm for standard DNSSEC
tools like dnssec-keygen and dnssec-signzone is not NSEC3-compatible.
A new algorithm NSEC3RSASHA1 has been introduced to have the compatibility.
By default, dnssec-keygen generates RSASHA1. To generate keys with NSEC3 capable
algorithms, use -3 that switches the default to NSEC3RSASHA1.
Automatic zone re-signing
BIND 9.7 supports for periodic resigning of a secure zone, in which dynamic updates have not
been re-signed as a result of some update action.
New options sig-signing-nodes and sig-signing-signatures were introduced to
break-up the work performed during re-signing.
8 BIND 9.7.3 release notes