Release Notes for BIND Version 9.14.2

Introduction

BIND 9.14 is a stable branch of BIND. This document summarizes significant changes since the last production release on that branch.

Please see the file CHANGES for a more detailed list of changes and bug fixes.

Note on Version Numbering

As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable" release numbering convention. BIND 9.14 contains new features added during the BIND 9.13 development process. Henceforth, the 9.14 branch will be limited to bug fixes and new feature development will proceed in the unstable 9.15 branch, and so forth.

Supported Platforms

Since 9.12, BIND has undergone substantial code refactoring and cleanup, and some very old code has been removed that was needed to support legacy platforms which are no longer supported by their vendors and for which ISC is no longer able to perform quality assurance testing. Specifically, workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.

On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations provided by the C compiler.

More information can be found in the PLATFORM.md file that is included in the source distribution of BIND 9. If your platform compiler and system libraries provide the above features, BIND 9 should compile and run. If that isn't the case, the BIND development team will generally accept patches that add support for systems that are still supported by their respective vendors.

As of BIND 9.14, the BIND development team has also made cryptography (i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL cryptography library must be available for the target platform. A PKCS#11 provider can be used instead for Public Key cryptography (i.e., DNSSEC signing and validation), but OpenSSL is still required for general cryptography operations such as hashing and random number generation.

Download

The latest versions of BIND 9 software can always be found at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems.

Security Fixes

  • In certain configurations, named could crash with an assertion failure if nxdomain-redirect was in use and a redirected query resulted in an NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL #880]

  • The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to exhaustion of file descriptors. (CVE-2018-5743) [GL #615]

New Features

  • The new add-soa option specifies whether or not the response-policy zone's SOA record should be included in the additional section of RPZ responses. [GL #865]

Feature Changes

  • When trusted-keys and managed-keys are both configured for the same name, or when trusted-keys is used to configure a trust anchor for the root zone and dnssec-validation is set to the default value of auto, automatic RFC 5011 key rollovers will fail.

    This combination of settings was never intended to work, but there was no check for it in the parser. This has been corrected; a warning is now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #868]

Bug Fixes

  • The allow-update and allow-update-forwarding options were inadvertently treated as configuration errors when used at the options or view level. This has now been corrected. [GL #913]

License

BIND is open source software licenced under the terms of the Mozilla Public License, version 2.0 (see the LICENSE file for the full text).

The license requires that if you make changes to BIND and distribute them outside your organization, those changes must be published under the same license. It does not require that you publish or disclose anything other than the changes you have made to our software. This requirement does not affect anyone who is using BIND, with or without modifications, without redistributing it, nor anyone redistributing BIND without changes.

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/mission/contact/.

End of Life

The end of life date for BIND 9.14 has not yet been determined. For those needing long term support, the current Extended Support Version (ESV) is BIND 9.11, which will be supported until at least December 2021. See https://www.isc.org/downloads/software-support-policy/ for details of ISC's software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/.