BIND 9.3.0rc3 is now available. BIND 9.3.0rc3 is a release candidate for BIND 9.3. BIND 9.3.0 has a number of new features over 9.2, including: DNSSEC is now DS based. See doc/draft/draft-ietf-dnsext-dnssec-* DNSSEC lookaside validation (experimental). check-names is now implemented. rrset-order in more complete. IPv4/IPv6 transition support, dual-stack-servers. IXFR deltas can now be generated when loading master files, ixfr-from-differences. It is now possible to specify the size of a journal, max-journal-size. It is now possible to define a named set of master servers to be used in masters clause, masters. The advertised EDNS UDP size can now be set, edns-udp-size. allow-v6-synthesis has been obsoleted. NOTE: * Zones containing MD and MF will now be rejected. * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. libbind: corresponds to that from BIND 8.4.5. NOTE: If you specified max-journal-size with a BIND 9.3.0 beta (upto beta 3) you may need to remove the journal. The journal compaction could leave the journal corrupted. NOTE: If you created TSIG keys using a BIND 9.3.0 beta dnsssec-keygen you will need to change the key type to KEY from DNSKEY in the .key file. NOTE: If you created keys for SIG(0) using a BIND 9.3.0 beta dnsssec-keygen you may need to replace them if you didn't use 'dnssec-keygen -k' to create KEY records rather than DNSKEY records. BIND 9.3.0rc3 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.3.0rc3/bind-9.3.0rc3.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.3.0rc3/bind-9.3.0rc3.tar.gz.asc The signature was generated with the ISC public key, which is available at . A binary kit for Windows NT 4.0 and Windows 2000 is at ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.3.0rc3/BIND9.3.0rc3.zip The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.3.0rc3/BIND9.3.0rc3.zip.asc The top of CHANGES contains: --- 9.3.0rc3 released --- 1696. [bug] dnssec-signzone failed to clean out nodes that consisted of only NSEC and RRSIG records. [RT #12154] 1695. [bug] DS records when forwarding require special handling. [RT #12133] 1694. [bug] Report if the builtin views of "_default" / "_bind" are defined in named.conf. [RT #12023] 1693. [bug] max-journal-size was not effective for master zones with ixfr-from-differences set. [RT# 12024] 1692. [bug] Don't set -I, -L and -R flags when libcrypto is in /usr/lib. [RT #11971] 1691. [bug] sdb's attachversion was not complete. [RT #11990] 1690. [bug] Delay detaching view from the client until UPDATE processing completes when shutting down. [RT #11714] 1689. [bug] DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros contained gratuitous semicolons. [RT #11707] 1688. [bug] LDFLAGS was not supported. 1687. [bug] Race condition in dispatch. [RT #10272] 1686. [bug] Named sent a extraneous NOTIFY when it received a redundant UPDATE request. [RT #11943] --- 9.3.0rc2 released --- 1685. [bug] Change #1679 loop tests weren't quite right. 1683. [bug] dig +sigchase could leak memory. [RT #11445] 1682. [port] Update configure test for (long long) printf format. [RT #5066] 1681. [bug] Only set SO_REUSEADDR when a port is specified in isc_socket_bind(). [RT #11742] 1679. [bug] When there was a single nameserver with multiple addresses for a zone not all addresses were tried. [RT #11706] 1678. [bug] RRSIG should use TYPEXXXXX for unknown types. 1677. [bug] dig: +aaonly didn't work, +aaflag undocumented. 1675. [bug] named would sometimes add extra NSEC records to the authority section. 1674. [port] linux: increase buffer size used to scan /proc/net/if_inet6. 1673. [port] linux: issue a error messages if IPv6 interface scans fails. 1672. [cleanup] Tests which only function in a threaded build now return R:THREADONLY (rather than R:UNTESTED) in a non-threaded build. 1671. [contrib] queryperf: add NAPTR to the list of known types. 1670. [func] Log UPDATE requests to slave zones without an acl as "disabled" at debug level 3. [RT# 11657] 1668. [bug] DIG_SIGCHASE was making bin/dig/host dump core. 1667. [port] linux: not all versions have IF_NAMESIZE. 1666. [bug] The optional port on hostnames in dual-stack-servers was being ignored. 1663. [func] Look for OpenSSL by default. 1661. [bug] Restore dns_name_concatenate() call in adb.c:set_target(). [RT #11582] 1660. [bug] win32: connection_reset_fix() was being called unconditionally. [RT #11595] --- 9.3.0rc1 released --- 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 1662. [bug] Change #1658 failed to change one use of 'type' to 'keytype'. 1659. [cleanup] Cleanup some messages that were referring to KEY vs DNSKEY, NXT vs NSEC and SIG vs RRSIG. 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 and DH. Tighten which options apply to KEY and DNSKEY records. 1657. [doc] ARM: document query log output. 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC DNSKEY and RRSIG. [RT #11542] 1655. [bug] Logging multiple versions w/o a size was broken. [RT #11446] 1654. [bug] isc_result_totext() contained array bounds read error. 1653. [func] Add key type checking to dst_key_fromfilename(), DST_TYPE_KEY should be used to read TSIG, TKEY and SIG(0) keys. 1652. [bug] TKEY still uses KEY. 1651. [bug] dig: process multiple dash options. 1650. [bug] dig, nslookup: flush standard out after each command. 1649. [bug] Silence "unexpected non-minimal diff" message. [RT #11206] 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet implemented). 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. [RT #11445] 1646. [bug] win32: logging file versions didn't work with non-UNC filenames. [RT#11486] 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. 1644. [bug] Update the journal modification time after a sucessfull refresh query. [RT #11436] 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] 1642. [port] Support OpenSSL implementations which don't have DSA support. [RT #11360] 1641. [bug] Update the check-names description in ARM. [RT #11389] --- 9.3.0beta4 released --- 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was incorrectly closing the socket. [RT #11291] 1639. [func] Initial dlv system test. 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if a error had occured. The database version no longer matched the version of the database that was dumped. 1635. [bug] Memory leak on error in query_addds(). 1634. [bug] named didn't supply a useful error message when it detected duplicate views. [RT #11208] 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. [RT #11331] 1632. [bug] nsupdate failed to send prerequisite only UPDATE messages. [RT #11288] 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] 1630. [contrib] queryperf: add support for IPv6 transport. 1629. [func] dig now supports IPv6 scoped addresses with the extended format in the local-server part. [RT #8753] 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 1627. [bug] win32: sockets were not being closed when the last external reference was removed. [RT# 11179] 1626. [bug] --enable-getifaddrs was broken. [RT#11259] 1625. [bug] named failed to load/transfer RFC2535 signed zones which contained CNAMES. [RT# 11237] 1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. --- 9.3.0beta3 released --- 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 1623. [bug] A serial number of zero was being displayed in the "sending notifies" log message when also-notify was used. [RT #11177] 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is available, and suppress wildcard binding if not. 1621. [bug] match-destinations did not work for IPv6 TCP queries. [RT# 11156] 1620. [func] When loading a zone report if it is signed. [RT #11149] 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] 1618. [bug] Fencepost errors in dns_name_ishostname() and dns_name_ismailbox() could trigger a INSIST(). 1617. [port] win32: VC++ 6.0 support. 1616. [compat] Ensure that named's version is visible in the core dump. [RT #11127] 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. 1614. [port] win32: silence resource limit messages. [RT# 11101] 1613. [bug] Builds would fail on machines w/o a if_nametoindex(). Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. [RT #11119] 1612. [bug] check-names at the option/view level could trigger an INSIST. [RT# 11116] 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. 1610. [bug] On dual stack machines "dig -b" failed to set the address type to be looked up with "@server". [RT #11069] 1600. [bug] Duplicate zone pre-load checks were not case insensitive. 1599. [bug] Fix memory leak on error path when checking named.conf. 1598. [func] Specify that certain parts of the namespace must be secure (dnssec-must-be-secure). --- 9.3.0beta2 released --- 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 1608. [func] dig and host now accept -4/-6 to select IP transport to use when making queries. 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initialized structure. 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] 1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] 1594. [bug] 'rndc dumpdb' could prevent named from answering queries while the dump was in progress. [RT #10565] 1593. [bug] rndc should return "unknown command" to unknown commands. [RT# 10642] --- 9.3.0beta1 released ---