Release Notes
Contents
Introduction
BIND 9.18 is a stable branch, suitable for production use. This document summarizes significant changes since the last production release on that branch.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Notes for BIND 9.18.5
Feature Changes
The
dnssec-signzone -H
default value has been changed to 0 additional NSEC3 iterations. This change aligns thednssec-signzone
default with the default used by thednssec-policy
feature. At the same time, documentation about NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]
When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec
could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]Previously,
named
immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed:named
acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]Previously,
rndc reconfig
did not pick up changes toendpoints
statements inhttp
blocks. This has been fixed. [GL #3415]It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]
Notes for BIND 9.18.4
Feature Changes
New
dnssec-policy
configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]
Bug Fixes
The
fetches-per-server
quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]
Key files were updated every time the
dnssec-policy
key manager ran, whether the metadata had changed or not.named
now checks whether changes were applied before writing out the key files. [GL #3302]
Notes for BIND 9.18.3
Security Fixes
Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in
named
instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]
Known Issues
According to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
New Features
Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by
named
. All of the previously supported BIND-specific catalog zone custom properties (primaries
,allow-query
, andallow-transfer
), as well as the new Change of Ownership (coo
) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, theversion
property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]Support DNS Extended Errors (RFC 8914)
Stale Answer
andStale NXDOMAIN Answer
when stale answers are returned from cache. [GL #2267]Add support for remote TLS certificate verification, both to
named
anddig
, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]
Bug Fixes
Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the
auto-dnssec maintain;
option. This has been fixed. [GL #2931]
Notes for BIND 9.18.2
New Features
Add a new configuration option
reuseport
to disable load balancing on sockets in situations where processing of Response Policy Zones (RPZ), Catalog Zones, or large zone transfers can cause service disruptions. See the BIND 9 ARM for more detail. [GL #3249]
Bug Fixes
Previously, zone maintenance DNS queries retried forever if the destination server was unreachable. These queries included outgoing NOTIFY messages, refresh SOA queries, parental DS checks, and stub zone NS queries. For example, if a zone had any nameservers with IPv6 addresses and a secondary server without IPv6 connectivity, that server would keep trying to send a growing amount of NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive retry behavior has been fixed. [GL #3242]
A number of crashes and hangs which could be triggered in
dig
were identified and addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]Invalid
dnssec-policy
definitions, where the defined keys did not cover both KSK and ZSK roles for a given algorithm, were being accepted. These are now checked, and thednssec-policy
is rejected if both roles are not present for all algorithms in use. [GL #3142]Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. [GL #3200]
Notes for BIND 9.18.1
Security Fixes
The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with
keep-response-order
enabled could leave the TCP sockets in theCLOSE_WAIT
state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]Lookups involving a DNAME could trigger an assertion failure when
synth-from-dnssec
was enabled (which is the default). (CVE-2022-0635)ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. [GL #3158]
When chasing DS records, a timed-out or artificially delayed fetch could cause
named
to crash while resuming a DS lookup. (CVE-2022-0667) [GL #3129]
Feature Changes
The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent by a client are now included in the client information sent to DLZ modules when processing queries. [GL #3082]
DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]
The limit on the number of simultaneously processed pipelined DNS queries received over TCP has been removed. Previously, it was capped at 23 queries processed at the same time. [GL #3141]
Bug Fixes
A failed view configuration during a
named
reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other unexpected errors. This has been fixed. [GL #3060]Previously,
named
logged a “quota reached” message when it hit its hard quota on the number of connections. That message was accidentally removed but has now been restored. [GL #3125]The
max-transfer-time-out
andmax-transfer-idle-out
options were not implemented when the BIND 9 networking stack was refactored in 9.16. The missing functionality has been re-implemented and outgoing zone transfers now time out properly when not progressing. [GL #1897]TCP connections could hang indefinitely if the other party did not read sent data, causing the TCP write buffers to fill. This has been fixed by adding a “write” timer. Connections that are hung while writing now time out after the
tcp-idle-timeout
period has elapsed. [GL #3132]Client TCP connections are now closed immediately when data received cannot be parsed as a valid DNS request. [GL #3149]
The statistics counter representing the current number of clients awaiting recursive resolution results (
RecursClients
) could be miscalculated in certain resolution scenarios, potentially causing the value of the counter to drop below zero. This has been fixed. [GL #3147]An error in the processing of the
blackhole
ACL could cause some DNS requests sent bynamed
to fail - for example, zone transfer requests and SOA refresh queries - if the destination address or prefix was specifically excluded from the ACL using!
, or if the ACL was set tonone
. This has now been fixed.blackhole
worked correctly when it was left unset, or if only positive-match elements were included. [GL #3157]Build errors were introduced in some DLZ modules due to an incomplete change in the previous release. This has been fixed. [GL #3111]
Notes for BIND 9.18.0
Note
This section only lists changes since BIND 9.16.25, the most recent release on the previous stable branch of BIND before the publication of BIND 9.18.0.
Known Issues
rndc
has been updated to use the new BIND network manager API. As the network manager currently has no support for UNIX-domain sockets, those cannot now be used withrndc
. This will be addressed in a future release, either by restoring UNIX-domain socket support or by formally declaring them to be obsolete in the control channel. [GL #1759]
New Features
named
now supports securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH).named
can use either a certificate provided by the user or an ephemeral certificate generated automatically upon startup. Thetls
block allows fine-grained control over TLS parameters. [GL #1840] [GL #2795] [GL #2796]For debugging purposes,
named
logs TLS pre-master secrets when theSSLKEYLOGFILE
environment variable is set. This enables troubleshooting of issues with encrypted traffic. [GL #2723]Support for DNS over TLS (DoT) has been added to
named
. Network interfaces for DoT are configured using the existing listen-on directive, while TLS parameters are configured using the newtls
block. [GL #1840]named
supports zone transfers over TLS (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.Incoming zone transfers over TLS are enabled by adding the
tls
keyword, followed by either the name of a previously configuredtls
block or the stringephemeral
, to the addresses included in primaries lists. [GL #2392]Similarly, the allow-transfer option was extended to accept additional
port
andtransport
parameters, to further restrict outgoing zone transfers to a particular port and/or DNS transport protocol. [GL #2776]Note that zone transfers over TLS (XoT) require the
dot
Application-Layer Protocol Negotiation (ALPN) token to be selected in the TLS handshake, as required by RFC 9103 section 7.1. This might cause issues with non-compliant XoT servers. [GL #2794]The
dig
tool is now able to send DoT queries (+tls
option). [GL #1840]There is currently no support for forwarding DNS queries via DoT.
Support for DNS over HTTPS (DoH) has been added to
named
. Both TLS-encrypted and unencrypted connections are supported (the latter may be used to offload encryption to other software). Network interfaces for DoH are configured using the existing listen-on directive, while TLS parameters are configured using the newtls
block and HTTP parameters are configured using the newhttp
block. [GL #1144] [GL #2472]Server-side quotas on both the number of concurrent DoH connections and the number of active HTTP/2 streams per connection can be configured using the global
http-listener-clients
andhttp-streams-per-connection
options, or thelistener-clients
andstreams-per-connection
parameters in anhttp block
. [GL #2809]The
dig
tool is now able to send DoH queries (+https
option). [GL #1641]There is currently no support for forwarding DNS queries via DoH.
DoH support can be disabled at compile time using a new build-time option,
--disable-doh
. This allows BIND 9 to be built without the libnghttp2 library. [GL #2478]A new logging category,
rpz-passthru
, was added, which allows RPZ passthru actions to be logged into a separate channel. [GL #54]A new option,
nsdname-wait-recurse
, has been added to theresponse-policy
clause in the configuration file. When set tono
, RPZ NSDNAME rules are only applied if the authoritative nameservers for the query name have been looked up and are present in the cache. If this information is not present, the RPZ NSDNAME rules are ignored, but the information is looked up in the background and applied to subsequent queries. The default isyes
, meaning that RPZ NSDNAME rules should always be applied, even if the information needs to be looked up first. [GL #1138]Support for HTTPS and SVCB record types now also includes ADDITIONAL section processing for these record types. [GL #1132]
New configuration options,
tcp-receive-buffer
,tcp-send-buffer
,udp-receive-buffer
, andudp-send-buffer
, have been added. These options allow the operator to fine-tune the receiving and sending buffers in the operating system. On busy servers, increasing the size of the receive buffers can prevent the server from dropping packets during short traffic spikes, and decreasing it can prevent the server from becoming clogged with queries that are too old and have already timed out. [GL #2313]New finer-grained
update-policy
rule types,krb5-subdomain-self-rhs
andms-subdomain-self-rhs
, were added. These rule types restrict updates to SRV and PTR records so that their content can only match the machine name embedded in the Kerberos principal making the change. [GL #481]Per-type record count limits can now be specified in
update-policy
statements, to limit the number of records of a particular type that can be added to a domain name via dynamic update. [GL #1657]Support for OpenSSL 3.0 APIs was added. [GL #2843] [GL #3057]
Extended DNS Error Code 18 - Prohibited (see RFC 8914 section 4.19) is now set if query access is denied to the specific client. [GL #1836]
ipv4only.arpa
is now served when DNS64 is configured. [GL #385]dig
can now report the DNS64 prefixes in use (+dns64prefix
). This is useful when the host on whichdig
is run is behind an IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a Service). [GL #1154]dig
output now includes the transport protocol used (UDP, TCP, TLS, HTTPS). [GL #1144] [GL #1816]dig +qid=<num>
allows the user to specify a particular query ID for testing purposes. [GL #1851]
Removed Features
Support for the
map
zone file format (masterfile-format map;
) has been removed. Users relying on themap
format are advised to convert their zones to theraw
format withnamed-compilezone
and change the configuration appropriately prior to upgrading BIND 9. [GL #2882]Old-style Dynamically Loadable Zones (DLZ) drivers that had to be enabled in
named
at build time have been removed. New-style DLZ modules should be used as a replacement. [GL #2814]Support for compiling and running BIND 9 natively on Windows has been completely removed. The last stable release branch that has working Windows support is BIND 9.16. [GL #2690]
Native PKCS#11 support has been removed. [GL #2691]
When built against OpenSSL 1.x, BIND 9 now uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL engine which is part of the OpenSC project.
As support for so-called “engines” was deprecated in OpenSSL 3.x, compiling BIND 9 against an OpenSSL 3.x build which does not retain support for deprecated APIs makes it impossible to use PKCS#11 in BIND 9. A replacement for engine_pkcs11 which employs the new “provider” approach introduced in OpenSSL 3.x is in the making. [GL #2843]
The utilities
dnssec-checkds
,dnssec-coverage
, anddnssec-keymgr
have been removed from the BIND distribution, as well as theisc
Python package. DNSSEC features formerly provided by these utilities are now integrated intonamed
. See the dnssec-policy configuration option for more details.An archival version of the Python utilities has been moved to the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/. Please note these tools are no longer supported by ISC.
Since the old socket manager API has been removed, “socketmgr” statistics are no longer reported by the statistics channel. [GL #2926]
The
glue-cache
option has been marked as deprecated. The glue cache feature still works and will be permanently enabled in a future release. [GL #2146]A number of non-working configuration options that had been marked as obsolete in previous releases have now been removed completely. Using any of the following options is now considered a configuration failure:
acache-cleaning-interval
,acache-enable
,additional-from-auth
,additional-from-cache
,allow-v6-synthesis
,cleaning-interval
,dnssec-enable
,dnssec-lookaside
,filter-aaaa
,filter-aaaa-on-v4
,filter-aaaa-on-v6
,geoip-use-ecs
,lwres
,max-acache-size
,nosit-udp-size
,queryport-pool-ports
,queryport-pool-updateinterval
,request-sit
,sit-secret
,support-ixfr
,use-queryport-pool
,use-ixfr
. [GL #1086]The
dig
option+unexpected
has been removed. [GL #2140]IPv6 sockets are now explicitly restricted to sending and receiving IPv6 packets only. As this breaks the
+mapped
option fordig
, the option has been removed. [GL #3093]Disable and disallow static linking of BIND 9 binaries and libraries as BIND 9 modules require
dlopen()
support and static linking also prevents using security features like read-only relocations (RELRO) or address space layout randomization (ASLR) which are important for programs that interact with the network and process arbitrary user input. [GL #1933]The
--with-gperftools-profiler
configure
option was removed. To use the gperftools profiler, theHAVE_GPERFTOOLS_PROFILER
macro now needs to be manually set inCFLAGS
and-lprofiler
needs to be present inLDFLAGS
. [GL !4045]
Feature Changes
Aggressive Use of DNSSEC-Validated Cache (
synth-from-dnssec
, see RFC 8198) is now enabled by default again, after having been disabled in BIND 9.14.8. The implementation of this feature was reworked to achieve better efficiency and tuned to ignore certain types of broken NSEC records. Negative answer synthesis is currently only supported for zones using NSEC. [GL #1265]The default NSEC3 parameters for
dnssec-policy
were updated to no extra SHA-1 iterations and no salt (NSEC3PARAM 1 0 0 -
). This change is in line with the latest NSEC3 recommendations. [GL #2956]The default for
dnssec-dnskey-kskonly
was changed toyes
. This means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by default. The additional signatures prepared using the ZSK when the option is set tono
add to the DNS response payload without offering added value. [GL #1316]dnssec-cds
now only generates SHA-2 DS records by default and avoids copying deprecated SHA-1 records from a child zone to its delegation in the parent. If the child zone does not publish SHA-2 CDS records,dnssec-cds
will generate them from the CDNSKEY records. The-a algorithm
option now affects the process of generating DS digest records from both CDS and CDNSKEY records. Thanks to Tony Finch. [GL #2871]Previously,
named
accepted FORMERR responses both with and without an OPT record, as an indication that a given server did not support EDNS. To implement full compliance with RFC 6891, only FORMERR responses without an OPT record are now accepted. This intentionally breaks communication with servers that do not support EDNS and that incorrectly echo back the query message with the RCODE field set to FORMERR and the QR bit set to 1. [GL #2249]The question section is now checked when processing AXFR, IXFR, and SOA replies while transferring a zone in. [GL #1683]
DNS Flag Day 2020: the EDNS buffer size probing code, which made the resolver adjust the EDNS buffer size used for outgoing queries based on the successful query responses and timeouts observed, was removed. The resolver now always uses the EDNS buffer size set in
edns-udp-size
for all outgoing queries. [GL #2183]Keeping stale answers in cache (
stale-cache-enable
) has been disabled by default. [GL #1712]Overall memory use by
named
has been optimized and significantly reduced, especially for resolver workloads. [GL #2398] [GL #3048]Memory allocation is now based on the memory allocation API provided by the jemalloc library, on platforms where it is available. Use of this library is now recommended when building BIND 9; although it is optional, it is enabled by default. [GL #2433]
Internal data structures maintained for each cache database are now grown incrementally when they need to be expanded. This helps maintain a steady response rate on a loaded resolver while these internal data structures are resized. [GL #2941]
The interface handling code has been refactored to use fewer resources, which should lead to less memory fragmentation and better startup performance. [GL #2433]
When reporting zone types in the statistics channel, the terms
primary
andsecondary
are now used instead ofmaster
andslave
, respectively. [GL #1944]The
rndc nta -dump
andrndc secroots
commands now both includevalidate-except
entries when listing negative trust anchors. These are indicated by the keywordpermanent
in place of the expiry date. [GL #1532]The output of
rndc serve-stale status
has been clarified. It now explicitly reports whether retention of stale data in the cache is enabled (stale-cache-enable
), and whether returning such data in responses is enabled (stale-answer-enable
). [GL #2742]Previously, using
dig +bufsize=0
had the side effect of disabling EDNS, and there was no way to test the remote server’s behavior when it had received a packet with EDNS0 buffer size set to 0. This is no longer the case;dig +bufsize=0
now sends a DNS message with EDNS version 0 and buffer size set to 0. To disable EDNS, usedig +noedns
. [GL #2054]BIND 9 binaries which are neither daemons nor administrative programs were moved to
$bindir
. Onlyddns-confgen
,named
,rndc
,rndc-confgen
, andtsig-confgen
were left in$sbindir
. [GL #1724]The BIND 9 build system has been changed to use a typical autoconf+automake+libtool stack. This should not make any difference for people building BIND 9 from release tarballs, but when building BIND 9 from the Git repository,
autoreconf -fi
needs to be run first. Extra attention is also needed when using non-standardconfigure
options. [GL #4]
Bug Fixes
Log files using
timestamp
-style suffixes were not always correctly removed when the number of files exceeded the limit set byversions
. This has been fixed. [GL #828]
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING
file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.18 is a stable branch, suitable for production use. After it has been in production use for a while it will be designated as an Extended Support Version (ESV). Until then, the current ESV is BIND 9.16, which will be supported until at least December 2023. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.