Release Notes

Introduction

BIND 9.19 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.20 release, this document will be updated with additional features added and bugs fixed. Please see the CHANGES file for a more detailed list of changes and bug fixes.

Supported Platforms

See the Supported Platforms section in the Resource Requirements chapter.

Download

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Known Issues

  • Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may require a manual configuration change. The following configurations are affected:

    In these cases please add inline-signing yes; to the individual zone configuration(s). Without applying this change, named will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing

  • According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

Notes for BIND 9.19.24

New Features

  • A new option signatures-jitter has been added to dnssec-policy to allow signature expirations to be spread out over a period of time. [GL #4554]

  • A new DNSSEC tool dnssec-ksr has been added to create Key Signing Request (KSR) and Signed Key Response (SKR) files. [GL #1128]

  • Queries and responses now emit distinct dnstap entries for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), and dnstap-read understands these entries. [GL #4523]

Removed Features

  • The named command-line option -U, which specified the number of UDP dispatches, has been removed. Using it now returns a warning. [GL #1879]

Feature Changes

  • Querying the statistics channel no longer blocks DNS communication on the networking event loop level. [GL #4680]

  • DNSSEC signatures that are not valid because the current time falls outside the signature inception and expiration dates no longer count towards maximum validation and maximum validation failure limits. [GL #4586]

  • Multiple RNDC messages are now processed when sent in a single TCP message.

    ISC would like to thank Dominik Thalhammer for reporting the issue and preparing the initial patch. [GL #4416]

  • dnssec-keygen now allows the options -k and -f to be used together. This allows the creation of keys for a given dnssec-policy that match only the KSK (-fK) or ZSK (-fZ) roles. [GL #1128]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.23

New Features

  • Added RESOLVER.ARPA to the built in empty zones. [GL #4580]

Feature Changes

  • Memory consumption of the new QP-trie database has been optimized. Large zones, which used to require significantly more memory with QP-trie, now only require roughly 15% more memory than the old red-black tree data structure. [GL #4614]

  • The sortlist option has been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4593]

  • The fixed value for the rrset-order option and the corresponding configure script option have been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4446]

Bug Fixes

  • A bug in the keymgr code unintentionally slowed down some DNSSEC key rollovers. This has been fixed. [GL #4552]

  • Two bugs that could have caused resolvers configured with the new cache data structure to crash or hang have been fixed. [GL #4622] [GL #4652]

  • Some ISO 8601 durations were accepted erroneously, leading to shorter durations than expected. This has been fixed. [GL #4624]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.22

New Features

  • Information on incoming zone transfers in the statistics channel now also shows the zones’ “first refresh” flag, which indicates that a zone is not fully ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the rndc status command. [GL #4241]

  • The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. [GL #4425]

  • HSM support was added to dnssec-policy. Keys can now be configured with a key-store that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. [GL #1129]

  • The tls block was extended with a new cipher-suites option that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. [GL #3504]

  • Support for the RESINFO record type was added. [GL #4413]

Removed Features

  • BIND 9 no longer supports non-zero stale-answer-client-timeout values, when the feature is turned on. When using a non-zero value, named now generates a warning log message, and treats the value as 0. [GL #4447]

Feature Changes

  • The dnssec-validation yes option now requires an explicitly configured trust-anchors statement. If using manual trust anchors is not operationally required, then please consider using dnssec-validation auto instead. [GL #4373]

  • The red-black tree data structure used in the RBTDB (the default database implementation for cache and zone databases), has been replaced with QP-tries. This is expected to improve performance and scalability, though in the current implementation it is known to have larger memory consumption.

    A side effect of this change is that zone files that are created with masterfile-style relative - for example, the output of dnssec-signzone - will no longer have multiple different $ORIGIN statements. There should be no other changes to server behavior.

    The old RBT-based database still exists for now, and can be used by specifying database rbt in a zone statement in named.conf, or by compiling with configure --with-zonedb=rbt --with-cachedb=rbt. [GL #4411]

Bug Fixes

  • A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. [GL #4596]

  • Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. [GL #4621]

  • The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. [GL #4591]

  • Changes to listen-on statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed.

    ISC would like to thank Thomas Amgarten for bringing this issue to our attention. [GL #4518] [GL #4528]

  • It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. [GL #4595]

    ISC would like to thank Jinmei Tatuya of Infoblox for bringing this issue to our attention.

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.21

Security Fixes

  • Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387)

    ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention. [GL #4424]

  • Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [GL #4459]

  • Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408)

    ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4234]

  • Specific queries could cause named to crash with an assertion failure when nxdomain-redirect was enabled. This has been fixed. (CVE-2023-5517) [GL #4281]

  • A bad interaction between DNS64 and serve-stale could cause named to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) [GL #4334]

Feature Changes

  • named-compilezone no longer performs zone integrity checks by default; this allows faster conversion of a zone file from one format to another. [GL #4364]

    Zone checks can be performed by running named-checkzone separately, or the previous default behavior can be restored by using:

    named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail

Bug Fixes

  • The counters exported via the statistics channel were changed back to 64-bit signed values; they were being inadvertently truncated to unsigned 32-bit values since BIND 9.15.0. [GL #4467]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.20

Note

The BIND 9.19.20 release was withdrawn after the discovery of a regression in a security fix in it during pre-release testing. ISC would like to acknowledge the assistance of Curtis Tuplin of SaskTel.

Notes for BIND 9.19.19

New Features

Removed Features

  • Support for using AES as the DNS COOKIE algorithm (cookie-algorithm aes;) has been removed. The only supported DNS COOKIE algorithm is now the current default, SipHash-2-4. [GL #4421]

  • The resolver-nonbackoff-tries and resolver-retry-interval statements have been removed. Using them is now a fatal error. [GL #4405]

Feature Changes

  • The maximum number of NSEC3 iterations allowed for validation purposes has been lowered from 150 to 50. DNSSEC responses containing NSEC3 records with iteration counts greater than 50 are now treated as insecure. [GL #4363]

  • Following RFC 9276 recommendations, dnssec-policy now only allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using NSEC3 that the policy manages. [GL #4363]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.18

New Features

  • The statistics channel now includes information about incoming zone transfers that are currently in progress. [GL #3883]

  • The new resolver-use-dns64 option enables named to apply dns64 rules to IPv4 server addresses when sending recursive queries, so that resolution can be performed over a NAT64 connection. [GL #608]

Removed Features

  • Support for the lock-file statement and the named -X command-line option has been removed. An external process supervisor should be used instead. [GL #4391]

    Alternatively, the flock utility (part of util-linux) can be used on Linux systems to achieve the same effect as lock-file or named -X:

    flock -n -x <directory>/named.lock <path>/named <arguments>

  • Configuring the control channel to use a Unix domain socket has been a fatal error since BIND 9.18. The feature has now been completely removed and named-checkconf now reports it as a configuration error. [GL #4311]

Feature Changes

  • Processing large incremental transfers (IXFR) has been offloaded to a separate work thread so that it does not prevent networking threads from processing regular traffic in the meantime. [GL #4367]

  • QNAME minimization is now used when looking up the addresses of name servers during the recursive resolution process. [GL #4209]

  • The inline-signing zone option is now ignored if there is no dnssec-policy configured for the zone. This means that unsigned zones no longer create redundant signed versions of the zone. [GL #4349]

  • The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. [GL #4101]

Bug Fixes

  • max-cache-size accidentally became ineffective in BIND 9.19.16. This has been fixed and the option now behaves as documented again. [GL #4340]

  • If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. [GL #4350]

  • Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. [GL #4355]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.17

Security Fixes

  • Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. This has been fixed. (CVE-2023-3341)

    ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. [GL #4152]

New Features

  • Support for User Statically Defined Tracing (USDT) probes has been added. These probes enable fine-grained application tracing and introduce no overhead when they are not enabled. [GL #4041]

  • The client-side support of the EDNS EXPIRE option has been expanded to include IXFR and AXFR query types. This enhancement enables named to perform AXFR and IXFR queries while incorporating the EDNS EXPIRE option. [GL #4170]

Removed Features

Feature Changes

  • Compiling with jemalloc versions older than 4.0.0 is no longer supported; those versions do not provide the features required by current BIND 9 releases. [GL #4296]

  • If the server command is specified, nsupdate now honors the nsupdate -v option for SOA queries by sending both the UPDATE request and the initial query over TCP. [GL #1181]

Bug Fixes

  • The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the statistics-channels block definition and usage section). [GL #4124]

    This issue was reported independently by Eric Sesterhenn of X41 D-Sec GmbH and Cameron Whitehead.

  • The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. [GL #4125]

    This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

  • Several memory leaks caused by not clearing the OpenSSL error stack were fixed. [GL #4159]

    This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.

  • The introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs UPDATE policies accidentally caused named to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. [GL #4280]

  • The stale-refresh-time feature was mistakenly disabled when the server cache was flushed by rndc flush. This has been fixed. [GL #4278]

  • BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. [GL #4038]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.16

Removed Features

Feature Changes

  • BIND now returns BADCOOKIE for out-of-date or otherwise bad but well-formed DNS server cookies. [GL #4194]

  • When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. [GL #4215]

  • The inline-signing statement can now also be set inside dnssec-policy. The built-in policies default and insecure enable the use of inline-signing. If inline-signing is set at the zone level, it overrides the value set in dnssec-policy. [GL #3677]

  • To improve query-processing latency under load, the uninterrupted time spent on resolving long chains of cached domain names has been reduced. [GL #4185]

  • The dialup and heartbeat-interval options have been deprecated and will be removed in a future BIND 9 release. [GL #3700]

Bug Fixes

  • Setting dnssec-policy to insecure prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations. [GL #4032]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.15

Feature Changes

  • The relaxed QNAME minimization mode now uses NS records. This reduces the number of queries named makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. [GL #3325]

Bug Fixes

  • The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.19.6 and BIND 9.18.8, has been restored. [GL #3668] [GL #4154]

  • Several minor stability issues with the catalog zone implementation have been fixed. [GL #4132] [GL #4136] [GL #4171]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.14

Security Fixes

  • The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828)

    ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4055]

New Features

  • The read timeout in rndc can now be specified on the command line using the -t option, allowing commands that take a long time to complete sufficient time to do so. [GL #4046]

  • Support for multi-signer model 2 (RFC 8901) when using inline-signing was added. [GL #2710]

  • A new option to dnssec-policy has been added, cdnskey, that allows users to enable or disable the publication of CDNSKEY records. [GL #4050]

  • The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). [GL #3978]

Removed Features

  • Special-case code that was originally added to allow GSS-TSIG to work around bugs in the Windows 2000 version of Active Directory has now been removed, since Windows 2000 is long past end-of-life. The -o option and the oldgsstsig command to nsupdate have been deprecated, and are now treated as synonyms for -g and gsstsig respectively. [GL #4012]

Feature Changes

  • If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query, named now retries sending the query to the same server without an EDNS COOKIE option. [GL #4049]

  • The responsiveness of named was improved, when serving as an authoritative DNS server for a delegation-heavy zone(s) shortly after loading such zone(s). [GL #4045]

Bug Fixes

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.13

New Features

Bug Fixes

  • When the same notify-source address and port number was configured for multiple destinations and zones, an unresponsive server could tie up the relevant network socket until it timed out; in the meantime, NOTIFY messages for other servers silently failed. named will now retry sending such NOTIFY messages over TCP. Furthermore, NOTIFY failures are now logged at the INFO level. [GL #4001] [GL #4002]

  • The max-transfer-time-in and max-transfer-idle-in statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. [GL #4004]

  • The read timeout in rndc is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. [GL #4046]

  • When the ISC_R_INVALIDPROTO (ENOPROTOOPT, EPROTONOSUPPORT) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. [GL #4005]

  • When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. [GL #4027]

  • A flaw in reworked code responsible for accepting TCP connections has been addressed. This issue could cause a visible performance drop for TCP queries on some platforms, notably FreeBSD, and has now been fixed. [GL #3985]

  • Log file rotation code did not clean up older versions of log files when the logging channel had an absolute path configured as a file destination. This has been fixed. [GL #3991]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.12

Security Fixes

  • An error in DNS message processing introduced in development version 9.19.11 could cause BIND and its utilities to crash if the maximum permissible number of DNS labels were present. This has been fixed. [GL #3998]

Known Issues

  • Loading a large number of zones is significantly slower in BIND 9.19.12 than in the previous development releases due to a new data structure being used for storing information about the zones to serve. This slowdown is considered to be a bug and will be addressed in a future BIND 9.19.x development release. [GL #4006]

  • A flaw in reworked code responsible for accepting TCP connections may cause a visible performance drop for TCP queries on some platforms, notably FreeBSD. This issue will be fixed in a future BIND 9.19.x development release. [GL #3985]

  • See above for a list of all known issues affecting this BIND 9 branch.

New Features

  • BIND now depends on liburcu, Userspace RCU, for lock-free data structures. [GL #3934]

  • The new command-line delv +ns option activates name server mode, to more accurately reproduce the behavior of named when resolving a query. In this mode, delv uses an internal recursive resolver rather than an external server. All messages sent and received during the resolution and validation process are logged. This can be used in place of dig +trace. [GL #3842]

  • A new configuration option, checkds, has been introduced. When set to yes, it detects parental-agents automatically by resolving the parent NS records. These name servers are queried to check the DS RRset during a KSK rollover initiated by dnssec-policy. [GL #3901]

Removed Features

  • The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been removed and using TKEY Mode 2 is now a fatal error. Users are advised to switch to TKEY Mode 3 (GSS-API). [GL #3905]

  • Zone type delegation-only, and the delegation-only and root-delegation-only statements, have been removed. Using them is a configuration error.

    These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. [GL #3953]

Feature Changes

  • The log message resolver priming query complete has been moved from the INFO log level to the DEBUG(1) log level, to prevent delv from emitting that message when setting up its internal resolver. [GL #3842]

Bug Fixes

  • Several bugs which could cause named to crash during catalog zone processing have been fixed. [GL #3955] [GL #3968] [GL #3997]

  • Performance of DNSSEC validation in zones with many DNSKEY records has been improved. [GL #3981]

Notes for BIND 9.19.11

New Features

Removed Features

  • Support for Red Hat Enterprise Linux version 7 (and clones) has been dropped. A C11-compliant compiler is now required to compile BIND 9. [GL #3729]

  • The functions that were in the libbind9 shared library have been moved to the libisc and libisccfg libraries. The now-empty libbind9 has been removed and is no longer installed. [GL #3903]

  • The irs_resconf module has been moved to the libdns shared library. The now-empty libirs library has been removed and is no longer installed. [GL #3904]

Feature Changes

  • Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of named when catalog zone updates are being applied after a catalog zone has been successfully transferred. [GL #3881]

  • libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup:

    • Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error.

    • Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower.

    • Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0.

    This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a single system call. [GL #3840]

Bug Fixes

  • named could crash with an assertion failure when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. This has been fixed. [GL #3911]

  • When named starts up, it sends a query for the DNSSEC key for each configured trust anchor to determine whether the key has changed. In some unusual cases, the query might depend on a zone for which the server is itself authoritative, and would have failed if it were sent before the zone was fully loaded. This has now been fixed by delaying the key queries until all zones have finished loading. [GL #3673]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.10

New Features

  • The forwarders statement now supports the tls argument, to be used to forward queries to DoT-enabled servers. [GL #3726]

Removed Features

Feature Changes

  • The memory statistics have been reduced to a single counter, InUse; Malloced is an alias that holds the same value. The other counters were usable with the old BIND 9 internal memory allocator, but they are unnecessary now that the latter has been removed. [GL #3718]

Bug Fixes

  • A constant stream of zone additions and deletions via rndc reconfig could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. [GL #3801]

  • The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. [GL #3795]

  • Pointing parental-agents to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. [GL #3783]

  • Building BIND 9 failed when the --enable-dnsrps switch for ./configure was used. This has been fixed. [GL #3827]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.9

Security Fixes

  • An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new update-quota option that controls the maximum number of outstanding DNS UPDATE messages that named can hold in a queue at any given time (default: 100). (CVE-2022-3094)

    ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523]

  • named could crash with an assertion failure when an RRSIG query was received and stale-answer-client-timeout was set to a non-zero value. This has been fixed. (CVE-2022-3736)

    ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622]

  • named running as a resolver with the stale-answer-client-timeout option set to any value greater than 0 could crash with an assertion failure, when the recursive-clients soft quota was reached. This has been fixed. (CVE-2022-3924)

    ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619]

New Features

  • The new update-quota option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523]

Removed Features

  • The statements setting alternate local addresses for inbound zone transfers (alt-transfer-source, alt-transfer-source-v6, and use-alt-transfer-source) have been removed. [GL #3714]

  • The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in named.conf now causes a warning to be logged. [GL #3773]

Feature Changes

  • A new way of configuring the preferred source address when talking to remote servers, such as primaries and parental-agents, has been added: setting the source and/or source-v6 arguments for a given statement is now possible. This new approach is intended to eventually replace statements such as parental-source, parental-source-v6, transfer-source, etc. [GL #3762]

  • The code for DNS over TCP and DNS over TLS transports has been replaced with a new, unified transport implementation. [GL #3374]

Bug Fixes

  • A rare assertion failure was fixed in outgoing TCP DNS connection handling. [GL #3178] [GL #3636]

  • In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3752]

  • In certain query resolution scenarios (e.g. when following CNAME records), named configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678]

  • When an outgoing request timed out, named would retry up to three times with the same server instead of trying the next available name server. This has been fixed. [GL #3637]

  • Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. [GL #3739]

  • The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. [GL #3743]

  • Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [GL #3725]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.8

Removed Features

  • The coresize, datasize, files, and stacksize options have been removed. The limits these options set should be enforced externally, either by manual configuration (e.g. using ulimit) or via the process supervisor (e.g. systemd). [GL #3676]

  • Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no longer trigger key rollovers and denial-of-existence operations. This also means that the dnssec-secure-to-insecure option has been obsoleted. [GL #3686]

Feature Changes

  • The TTL of the NSEC3PARAM record for every NSEC3-signed zone was previously set to 0. It is now changed to match the SOA MINIMUM value for the given zone. [GL #3570]

  • The --with-tuning option for configure has been removed. Each of the compile-time settings that required different values based on the “workload” (which were previously affected by the value of the --with-tuning option) has either been removed or changed to a sensible default. [GL #3664]

  • The auto-dnssec option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667]

  • Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (alt-transfer-source, alt-transfer-source-v6, and use-alt-transfer-source) will be removed in a future BIND 9.19.x release. [GL #3694]

  • On startup, named now sets the limit on the number of open files to the maximum allowed by the operating system, instead of trying to set it to “unlimited”. [GL #3676]

  • The number of HTTP headers allowed in requests sent to named’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. [GL #3670]

Bug Fixes

  • named could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). This has been fixed. [GL #3693]

  • When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the named process to crash. This has been fixed. [GL #3683]

  • When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727]

  • TLS configuration for primary servers was not applied for zones that were members of a catalog zone. This has been fixed. [GL #3638]

  • In certain cases, named waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183]

  • host and nslookup command-line options setting the custom TCP/UDP port to use were ignored for ANY queries (which are sent over TCP). This has been fixed. [GL #3721]

  • The new name compression code in BIND 9.19.7 was not compressing names in zone transfers that should have been compressed, so zone transfers were larger than before. This has been fixed. [GL #3706]

  • The zone <name>/<class>: final reference detached log message was moved from the INFO log level to the DEBUG(1) log level to prevent the named-checkzone tool from superfluously logging this message in non-debug mode. [GL #3707]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.7

New Features

Feature Changes

  • On Linux, libcap is now a required dependency to help named keep needed privileges. [GL #3583]

  • The DNS name compression algorithm used in BIND 9 has been revised: it now compresses more thoroughly than before, so responses containing names with many labels might have a smaller encoding than before. [GL #3661]

Bug Fixes

  • A crash was fixed that happened when a dnssec-policy zone that used NSEC3 was reconfigured to enable inline-signing. [GL #3591]

  • In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3598]

  • rpz-ip rules in response-policy zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. This has been fixed. [GL #3247]

  • Previously, if Internet connectivity issues were experienced during the initial startup of named, a BIND resolver with dnssec-validation set to auto could enter into a state where it would not recover without stopping named, manually deleting the managed-keys.bind and managed-keys.bind.jnl files, and starting named again. This has been fixed. [GL #2895]

  • Previously, the port in remote servers such as in primaries and parental-agents could be wrongly configured because of an inheritance bug. This has been fixed. [GL #3627]

  • Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. [GL #3563]

  • When a DNS resource record’s TTL value was equal to the resolver’s configured prefetch “eligibility” value, the record was erroneously not treated as eligible for prefetching. This has been fixed. [GL #3603]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.6

Known Issues

New Features

  • Support for parsing and validating the dohpath service parameter in SVCB records was added. [GL #3544]

  • named now supports forwarding Dynamic DNS updates through DNS-over-TLS (DoT). [GL #3512]

  • The nsupdate tool now supports DNS-over-TLS (DoT). [GL #1781]

  • named now logs the supported cryptographic algorithms during startup and in the output of named -V. [GL #3541]

  • A new configuration option require-cookie has been introduced. It specifies whether there should be a DNS COOKIE in the response for a given prefix; if not, named falls back to TCP. This is useful if it is known that a given server supports DNS COOKIE. It can also be used to force all non-DNS COOKIE responses to fall back to TCP. [GL #2295]

  • Support for libsystemd’s sd_notify() function was added, enabling named to report its status to the init system. This allows systemd to wait until named is fully ready before starting other services that depend on name resolution. [GL #1176]

  • The recursion not available and query (cache) '...' denied log messages were extended to include the name of the ACL that caused a given query to be denied. [GL #3587]

Feature Changes

  • When an international domain name is not valid according to IDNA2008, dig now tries to convert it according to IDNA2003 rules, or pass it through unchanged, instead of stopping with an error message. The idna2 utility can be used to check IDNA syntax. [GL #3527]

  • The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by “+”, followed by the key ID: for example, 8+54274. [GL #3525]

  • The ability to use PKCS#11 via engine_pkcs11 has been restored, by using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be compiled with -DOPENSSL_API_COMPAT=10100 specified in the CFLAGS environment variable at compile time. [GL #3578]

  • Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. libuv should be available on all supported platforms either as a native package or as a backport. [GL #3567]

Bug Fixes

  • An assertion failure was fixed in named that was caused by aborting the statistics channel connection while sending statistics data to the client. [GL #3542]

  • named could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. This has been fixed. [GL #1967]

  • Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. This has been fixed. [GL #3557]

Notes for BIND 9.19.5

Security Fixes

  • Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795)

    ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394]

  • When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) [GL #3493]

  • Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) [GL #3491]

  • named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517]

  • Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487]

New Features

  • A new Response Policy Zone (RPZ) option, ede, was added. It enables an RFC 8914 Extended DNS Error (EDE) code of choice to be set for responses which have been modified by a given RPZ. [GL #3410]

  • Worker threads’ event loops are now managed by a new “loop manager” API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. [GL #3508]

Feature Changes

  • Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459]

  • Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. [GL #3381]

  • When reconfiguring dnssec-policy from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. [GL #3486]

  • A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in dig and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485]

Bug Fixes

  • A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.4

Removed Features

Feature Changes

  • The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]

  • Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]

Bug Fixes

  • When running as a validating resolver forwarding all queries to another resolver, named could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response and named failed its attempts to find a proper one instead. This has been fixed. [GL #3439]

  • DNS compression is no longer applied to the root name (.) if it is repeatedly used in the same RRset. [GL #3423]

  • Non-dynamic zones that inherit dnssec-policy from the view or options blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438]

  • rndc dumpdb -expired was fixed to include expired RRsets, even if stale-cache-enable is set to no and the cache-cleaning time window has passed. [GL #3462]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.3

New Features

Removed Features

  • The glue-cache option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]

Feature Changes

Bug Fixes

  • An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]

  • When grafting non-delegated namespace onto delegated namespace, synth-from-dnssec could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]

  • Previously, named immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed: named acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]

  • Previously, rndc reconfig did not pick up changes to endpoints statements in http blocks. This has been fixed. [GL #3415]

  • It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.2

Feature Changes

  • New dnssec-policy configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]

Bug Fixes

  • The fetches-per-server quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]

  • DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]

  • Key files were updated every time the dnssec-policy key manager ran, whether the metadata had changed or not. named now checks whether changes were applied before writing out the key files. [GL #3302]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.1

Security Fixes

  • Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in named instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.

    ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]

New Features

  • Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by named. All of the previously supported BIND-specific catalog zone custom properties (primaries, allow-query, and allow-transfer), as well as the new Change of Ownership (coo) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, the version property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]

  • Support DNS Extended Errors (RFC 8914) Stale Answer and Stale NXDOMAIN Answer when stale answers are returned from cache. [GL #2267]

  • The Object Identifier (OID) embedded at the start of a PRIVATEOID public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. The Object Identifier is now printed when the dig +rrcomments option is used. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3234]

  • The Object Identifier (OID) embedded at the start of a PRIVATEOID signature in a SIG, or RRSIG resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3296]

Bug Fixes

  • Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the auto-dnssec maintain; option. This has been fixed. [GL #2931]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

Notes for BIND 9.19.0

Known Issues

  • According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

  • See above for a list of all known issues affecting this BIND 9 branch.

New Features

  • Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]

  • dnssec-verify and dnssec-signzone now accept a -J option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]

Removed Features

  • The keep-response-order option has been declared obsolete and the functionality has been removed. named expects DNS clients to be fully compliant with RFC 7766. [GL #3140]

Feature Changes

  • Run RPZ updates on the specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This should increase the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]

  • The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744]

License

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

End of Life

BIND 9.19 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.20, which will be a stable branch. The end-of-life date for BIND 9.20 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible.