BIND 9.7.0b3 is now available. BIND 9.7.0b3 is the third beta release of BIND 9.7.0. Overview: BIND 9.7 includes a number of changes from BIND 9.6 and earlier releases. Most are intended to simplify DNSSEC configuration and operation. NOTE: This release contains the following security fix: 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] New features include: - Fully automatic signing of zones by "named". - Simplified configuration of DNSSEC Lookaside Validation (DLV). - Simplified configuration of Dynamic DNS, using the "ddns-confgen" command line tool or the "local" update-policy option. (As a side effect, this also makes it easier to configure automatic zone re-signing.) - New named option "attach-cache" that allows multiple views to share a single cache. - DNS rebinding attack prevention. - New default values for dnssec-keygen parameters. - Support for RFC 5011 automated trust anchor maintenance (see README.rfc5011 for additional details). - Smart signing: simplified tools for zone signing and key maintenance. - The "statistics-channels" option is now available on Windows. - A new DNSSEC-aware libdns API for use by non-BIND9 applications (see README.libdns for details). - On some platforms, named and other binaries can now print out a stack backtrace on assertion failure, to aid in debugging. - A "tools only" installation mode on Windows, which only installs dig, host, nslookup and nsupdate. - Improved PKCS#11 support, including Keyper support and explicit OpenSSL engine selection (see README.pkcs11 for additional details). Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then you should ensure that all changes that are in progress have completed prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible. BIND 9.7.0b3 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz The PGP signature of the distribution is at: ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/bind-9.7.0b3.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip The PGP signature of the binary kit is at: ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.7.0b3/BIND9.7.0b3.debug.zip.sha512.asc Changes since 9.7.0b2: --- 9.7.0b3 released --- 2785. [bug] Revoked keys could fail to self-sign [RT #20652] 2784. [bug] TC was not always being set when required glue was dropped. [RT #20655] 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP buffer size of 512 or less. [RT #20654] 2782. [port] win32: use getaddrinfo() for hostname lookups. [RT #20650] 2781. [bug] Inactive keys could be used for signing. [RT #20649] 2780. [bug] dnssec-keygen -A none didn't properly unset the activation date in all cases. [RT #20648] 2779. [bug] Dynamic key revokation could fail. [RT #20644] 2778. [bug] dnssec-signzone could fail when a key was revoked without deleting the unrevoked version. [RT #20638] 2777. [contrib] DLZ MYSQL auto reconnect support discovery was wrong. 2776. [bug] Change #2762 was not correct. [RT #20647] 2775. [bug] Accept RSASHA256 and RSASHA512 as NSEC3 compatible in dnssec-keyfromlabel. [RT #20643] 2774. [bug] Existing cache DB wasn't being reused after reconfiguration. [RT #20629] 2773. [bug] In autosigned zones, the SOA could be signed with the KSK. [RT #20628] 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] 2771. [bug] dnssec-signzone: DNSKEY records could be corrupted when importing from key files [RT #20624] 2770. [cleanup] Add log messages to resolver.c to indicate events causing FORMERR responses. [RT #20526] 2769. [cleanup] Change #2742 was incomplete. [RT #19589] 2768. [bug] dnssec-signzone: -S no longer implies -g [RT #20568] 2767. [bug] named could crash on startup if a zone was configured with auto-dnssec and there was no key-directory. [RT #20615] 2766. [bug] isc_socket_fdwatchpoke() should only update the socketmgr state if the socket is not pending on a read or write. [RT #20603] 2765. [bug] Skip masters for which the TSIG key cannot be found. [RT #20595] 2764. [bug] "rndc-confgen -a" could trigger a REQUIRE. [RT #20610] 2763. [bug] "rndc sign" didn't create an NSEC chain. [RT #20591] 2762. [bug] DLV validation failed with a local slave DLV zone. [RT #20577] 2761. [cleanup] Enable internal symbol table for backtrace only for systems that are known to work. Currently, BSD variants, Linux and Solaris are supported. [RT# 20202] 2760. [cleanup] Corrected named-compilezone usage summary. [RT #20533] 2759. [doc] Add information about .jbk/.jnw files to the ARM. [RT #20303] 2758. [bug] win32: Added a workaround for a windows 2008 bug that could cause the UDP client handler to shut down. [RT #19176] 2757. [bug] dig: assertion failure could occur in connect timeout. [RT #20599] 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 2755. [placeholder] 2754. [bug] Secure-to-insecure transitions failed when zone was signed with NSEC3. [RT #20587] 2753. [bug] Removed an unnecessary warning that could appear when building an NSEC chain. [RT #20588] 2752. [bug] Locking violation. [RT #20587] 2751. [bug] Fixed a memory leak in dnssec-keyfromlabel. [RT #20588] 2750. [bug] dig: assertion failure could occur when a server didn't have an address. [RT #20579] 2749. [bug] ixfr-from-differences generated a non-minimal ixfr for NSEC3 signed zones. [RT #20452] 2748. [func] Identify bad answers from GTLD servers and treat them as referrals. [RT #18884] 2747. [bug] Journal roll forwards failed to set the re-signing time of RRSIGs correctly. [RT #20541] 2746. [port] hpux: address signed/unsigned expansion mismatch of dns_rbtnode_t.nsec. [RT #20542] 2745. [bug] configure script didn't probe the return type of gai_strerror(3) correctly. [RT #20573] 2744. [func] Log if a query was over TCP. [RT #19961] 2743. [bug] RRSIG could be incorrectly set in the NSEC3 record for a insecure delegation.