Introduction BIND 9.10.0a2 is the second alpha development release of BIND 9.10, a new branch of BIND 9. This document summarizes changes from the previous alpha release, BIND 9.10.0a1. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Professional support is provided by DNSco. Information about paid support options is available at http://www.dns-co.com/solutions/. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list/. Security Fixes Fixed a crash that could occur when serving some NSEC3 signed zones. memcpy() was incorrectly called with overlapping ranges, resulting in malformed names being generated on some platforms. This could cause INSIST failures. The coding error that caused the problem has been corrected, and all uses of memcpy() have been changed to the safer memmove(). (CVE-2014-0591) [RT #35120] New Features To improve recursive resolver performance, cache records which are still being requested by clients can now be automatically refreshed from the authoritative server before they expire, reducing or eliminating the time window in which no answer is available in the cache. [RT #35041] Improved EDNS processing allows better resolver performance and reliability over slow or lossy connections. [RT #30644] Zone data can now be shared between views, allowing multiple views to serve the same zones authoritatively without storing multiple copies in memory. [RT #32968] A new compile-time option, --enable-native-pkcs11, allows the BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified OpenSSL as an intermediary. This has been tested with the Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC project. [RT #29031] When re-signing a zone, the new "dnssec-signzone -Q" option drops signatures from keys that are still published but are no longer active. Thanks to Pierre Beyssac for the contribution. [RT #34990] New options have been added to "dnssec-coverage": -z and -k indicate whether to limit coverage checks to ZSK's or KSK's, and -l limits coverage checking to a specified duration. Thanks to Peter Palfrader for the contribution. [RT #35168] Improvements have been made to the XSL stylesheet used for XML statistics: The stylesheet can now be cached by the browser; section headers are omitted when the sections have no data to display; counter readability has been improved. Also, broken-out subgroups of XML statistics (server, zones, net, tasks, mem, and status) can now be requested. Thanks to Timothe Litt for the assistance. [RT #35515] [RT #35517] "named-checkconf -px" will print the contents of configuration files with the shared secrets obscured, making it easier to share configuration (e.g. when submitting a bug report) without revealing private information. [RT #34465] Bug Fixes Fixed a bug in BIND's socket library for Windows that caused "dig", "host", and "nslookup" to fail to exit properly on win32 systems. [RT #35288] Fixed bugs in GeoIP code that could cause crashes during initialization when using "city" or "region" databases, or upon receipt of the first incoming query when specifying a GeoIP element in the "blackhole" ACL. [RT #35427] [RT #35272] Reduced unnecessary memory consumption by zone objects, by not storing copies of the global "also-notify" list in zones that are configured not to send NOTIFY messages. [RT #35195] Fixed a bug in "rndc zonestatus" that could cause an assertion failure due to running out of buffer space. [RT #35084] Fixed a memory leak in peer.c that caused an assertion failure on shutdown. [RT #35255] Fixed an "nsupdate" memory leak that could be triggered by using "realm" multiple times. [RT #35073] Fixed "dig" when cleaning up TCP sockets still waiting on connect(). [RT #35074] Fixed an issue with "rndc retransfer" which caused NSEC3 to be replaced with NSEC records in inline-signing zones. [RT #34745] Fixed an issue with "rndc refresh" failing to sign slave zones using inline-signing. [RT #35105] Fixed a potential hang (detected by our inline-signing system test) that could be caused by NULL pointer dereference in zone_xfrdone(). [RT #35042] Addressed bug in loadnode() that could return a pointer to a freed node when out of memory. [RT #35106] Fixed a bug causing an insecure delegation from one "static-stub" zone to another to fail with a broken trust chain. [RT #35081] Fixed a bug in which iterative responses could be discarded when the "query-source" port for an upstream query was the same as the listener port (53). [RT #34925] Fixed a crash in the RBTDB implementation: Calling dns_db_getoriginnode() more than once would be fatal if there was no data at the node. [RT #35080] Fixed a possible race and crash in the socket_search() function in dispatch.c. [RT #35107] Fixed "dig" so it can handle AXFR style IXFR responses which span multiple messages. [RT #35137] Fixed a "host" tool problem with converting UTF-8 textname to IDN encoding, by handling "." as a search list element when IDN support is enabled. [RT #35133] Fixed "queryperf" to prevent a possible integer overflow when printing results. [RT #35182] Fixed a theoretically possible race condition/crash when obtaining a socket in dispatch.c [RT #35128] All platforms now use built-in versions of strptime() and timegm() to avoid portability issues. [RT #35183] Fixed a bug which could cause a crash when running "rndc reconfig" or "rndc reload" after the system was changed from using regular zones to answer RFC 1918 reverse DNS lookups to using built-in empty zones. [RT #35177] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/. Copyright 2001-2014 Internet Systems Consortium, Inc.