Release Notes
Introduction
BIND 9.19 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.20 release, this document will be updated with additional features added and bugs fixed. Please see the CHANGES file for a more detailed list of changes and bug fixes.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Known Issues
Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may require a manual configuration change. The following configurations are affected:
type primary
zones configured withdnssec-policy
but without eitherallow-update
orupdate-policy
,type secondary
zones configured withdnssec-policy
.
In these cases please add
inline-signing yes;
to the individual zone configuration(s). Without applying this change,named
will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signingAccording to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
Notes for BIND 9.19.23
New Features
Added RESOLVER.ARPA to the built in empty zones. [GL #4580]
Feature Changes
Memory consumption of the new QP-trie database has been optimized. Large zones, which used to require significantly more memory with QP-trie, now only require roughly 15% more memory than the old red-black tree data structure. [GL #4614]
The
sortlist
option has been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4593]The
fixed
value for therrset-order
option and the correspondingconfigure
script option have been deprecated and will be removed in a future BIND 9.21.x release. Users should not rely on a specific order of resource records in DNS messages. [GL #4446]
Bug Fixes
A bug in the keymgr code unintentionally slowed down some DNSSEC key rollovers. This has been fixed. [GL #4552]
Two bugs that could have caused resolvers configured with the new cache data structure to crash or hang have been fixed. [GL #4622] [GL #4652]
Some ISO 8601 durations were accepted erroneously, leading to shorter durations than expected. This has been fixed. [GL #4624]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.22
New Features
Information on incoming zone transfers in the statistics channel now also shows the zones’ “first refresh” flag, which indicates that a zone is not fully ready and that its first ever refresh is pending or is in progress. The number of such zones is now also exposed by the
rndc status
command. [GL #4241]The statistics channel now includes counters that indicate the number of currently connected TCP IPv4/IPv6 clients. [GL #4425]
HSM support was added to
dnssec-policy
. Keys can now be configured with akey-store
that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL. [GL #1129]The
tls
block was extended with a newcipher-suites
option that allows permitted cipher suites for TLSv1.3 to be set. Please consult the documentation for additional details. [GL #3504]Support for the RESINFO record type was added. [GL #4413]
Removed Features
BIND 9 no longer supports non-zero
stale-answer-client-timeout
values, when the feature is turned on. When using a non-zero value,named
now generates a warning log message, and treats the value as0
. [GL #4447]
Feature Changes
The
dnssec-validation yes
option now requires an explicitly configuredtrust-anchors
statement. If using manual trust anchors is not operationally required, then please consider usingdnssec-validation auto
instead. [GL #4373]The red-black tree data structure used in the RBTDB (the default database implementation for cache and zone databases), has been replaced with QP-tries. This is expected to improve performance and scalability, though in the current implementation it is known to have larger memory consumption.
A side effect of this change is that zone files that are created with
masterfile-style
relative
- for example, the output ofdnssec-signzone
- will no longer have multiple different $ORIGIN statements. There should be no other changes to server behavior.The old RBT-based database still exists for now, and can be used by specifying
database rbt
in azone
statement innamed.conf
, or by compiling withconfigure --with-zonedb=rbt --with-cachedb=rbt
. [GL #4411]
Bug Fixes
A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured
max-cache-size
limit was reached. This has been fixed. [GL #4596]Using
rndc flush
inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configuredmax-cache-size
limit being exceeded and has now been fixed. [GL #4621]The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl
andmax-ncache-ttl
in a timely manner. [GL #4591]Changes to
listen-on
statements were ignored on reconfiguration unless the port or interface address was changed, making it impossible to change a related listener transport type. That issue has been fixed.ISC would like to thank Thomas Amgarten for bringing this issue to our attention. [GL #4518] [GL #4528]
It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. [GL #4595]
ISC would like to thank Jinmei Tatuya of Infoblox for bringing this issue to our attention.
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.21
Security Fixes
Validating DNS messages containing a lot of DNSSEC signatures could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50387)
ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for bringing this vulnerability to our attention. [GL #4424]
Preparing an NSEC3 closest encloser proof could cause excessive CPU load, leading to a denial-of-service condition. This has been fixed. (CVE-2023-50868) [GL #4459]
Parsing DNS messages with many different names could cause excessive CPU load. This has been fixed. (CVE-2023-4408)
ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4234]
Specific queries could cause
named
to crash with an assertion failure whennxdomain-redirect
was enabled. This has been fixed. (CVE-2023-5517) [GL #4281]A bad interaction between DNS64 and serve-stale could cause
named
to crash with an assertion failure, when both of these features were enabled. This has been fixed. (CVE-2023-5679) [GL #4334]
Feature Changes
named-compilezone
no longer performs zone integrity checks by default; this allows faster conversion of a zone file from one format to another. [GL #4364]Zone checks can be performed by running
named-checkzone
separately, or the previous default behavior can be restored by using:named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail
Bug Fixes
The counters exported via the statistics channel were changed back to 64-bit signed values; they were being inadvertently truncated to unsigned 32-bit values since BIND 9.15.0. [GL #4467]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.20
Note
The BIND 9.19.20 release was withdrawn after the discovery of a regression in a security fix in it during pre-release testing. ISC would like to acknowledge the assistance of Curtis Tuplin of SaskTel.
Notes for BIND 9.19.19
New Features
Initial support for the PROXYv2 protocol was added.
named
can now accept PROXYv2 headers over all currently implemented DNS transports anddig
can insert these headers into the queries it sends. Please consult the related documentation (allow-proxy
,allow-proxy-on
,listen-on
, andlisten-on-v6
fornamed
,dig +proxy
anddig +proxy-plain
fordig
) for additional details. [GL #4388]
Removed Features
Support for using AES as the DNS COOKIE algorithm (
cookie-algorithm aes;
) has been removed. The only supported DNS COOKIE algorithm is now the current default, SipHash-2-4. [GL #4421]The
resolver-nonbackoff-tries
andresolver-retry-interval
statements have been removed. Using them is now a fatal error. [GL #4405]
Feature Changes
The maximum number of NSEC3 iterations allowed for validation purposes has been lowered from 150 to 50. DNSSEC responses containing NSEC3 records with iteration counts greater than 50 are now treated as insecure. [GL #4363]
Following RFC 9276 recommendations,
dnssec-policy
now only allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using NSEC3 that the policy manages. [GL #4363]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.18
New Features
The statistics channel now includes information about incoming zone transfers that are currently in progress. [GL #3883]
The new
resolver-use-dns64
option enablesnamed
to applydns64
rules to IPv4 server addresses when sending recursive queries, so that resolution can be performed over a NAT64 connection. [GL #608]
Removed Features
Support for the
lock-file
statement and thenamed -X
command-line option has been removed. An external process supervisor should be used instead. [GL #4391]Alternatively, the
flock
utility (part of util-linux) can be used on Linux systems to achieve the same effect aslock-file
ornamed -X
:flock -n -x <directory>/named.lock <path>/named <arguments>
Configuring the control channel to use a Unix domain socket has been a fatal error since BIND 9.18. The feature has now been completely removed and
named-checkconf
now reports it as a configuration error. [GL #4311]
Feature Changes
Processing large incremental transfers (IXFR) has been offloaded to a separate work thread so that it does not prevent networking threads from processing regular traffic in the meantime. [GL #4367]
QNAME minimization is now used when looking up the addresses of name servers during the recursive resolution process. [GL #4209]
The
inline-signing
zone option is now ignored if there is nodnssec-policy
configured for the zone. This means that unsigned zones no longer create redundant signed versions of the zone. [GL #4349]The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. [GL #4101]
Bug Fixes
max-cache-size
accidentally became ineffective in BIND 9.19.16. This has been fixed and the option now behaves as documented again. [GL #4340]If the unsigned version of an inline-signed zone contained DNSSEC records, it was incorrectly scheduled for resigning. This has been fixed. [GL #4350]
Looking up stale data from the cache did not take local authoritative data into account. This has been fixed. [GL #4355]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.17
Security Fixes
Previously, sending a specially crafted message over the control channel could cause the packet-parsing code to run out of available stack memory, causing
named
to terminate unexpectedly. This has been fixed. (CVE-2023-3341)ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for bringing this vulnerability to our attention. [GL #4152]
New Features
Support for User Statically Defined Tracing (USDT) probes has been added. These probes enable fine-grained application tracing and introduce no overhead when they are not enabled. [GL #4041]
The client-side support of the EDNS EXPIRE option has been expanded to include IXFR and AXFR query types. This enhancement enables
named
to perform AXFR and IXFR queries while incorporating the EDNS EXPIRE option. [GL #4170]
Removed Features
The
dnssec-must-be-secure
option has been deprecated and will be removed in a future release. [GL #4263]
Feature Changes
Compiling with jemalloc versions older than 4.0.0 is no longer supported; those versions do not provide the features required by current BIND 9 releases. [GL #4296]
If the
server
command is specified,nsupdate
now honors thensupdate -v
option for SOA queries by sending both the UPDATE request and the initial query over TCP. [GL #1181]
Bug Fixes
The value of the If-Modified-Since header in the statistics channel was not being correctly validated for its length, potentially allowing an authorized user to trigger a buffer overflow. Ensuring the statistics channel is configured correctly to grant access exclusively to authorized users is essential (see the
statistics-channels
block definition and usage section). [GL #4124]This issue was reported independently by Eric Sesterhenn of X41 D-Sec GmbH and Cameron Whitehead.
The Content-Length header in the statistics channel was lacking proper bounds checking. A negative or excessively large value could potentially trigger an integer overflow and result in an assertion failure. [GL #4125]
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
Several memory leaks caused by not clearing the OpenSSL error stack were fixed. [GL #4159]
This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
The introduction of
krb5-subdomain-self-rhs
andms-subdomain-self-rhs
UPDATE policies accidentally causednamed
to return SERVFAIL responses to deletion requests for non-existent PTR and SRV records. This has been fixed. [GL #4280]The
stale-refresh-time
feature was mistakenly disabled when the server cache was flushed byrndc flush
. This has been fixed. [GL #4278]BIND’s memory consumption has been improved by implementing dedicated jemalloc memory arenas for sending buffers. This optimization ensures that memory usage is more efficient and better manages the return of memory pages to the operating system. [GL #4038]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.16
Removed Features
The
auto-dnssec
configuration statement has been removed. Please usednssec-policy
or manual signing instead. The following statements have become obsolete:dnskey-sig-validity
,dnssec-dnskey-kskonly
,dnssec-update-mode
,sig-validity-interval
, andupdate-check-ksk
. [GL #3672]
Feature Changes
BIND now returns BADCOOKIE for out-of-date or otherwise bad but well-formed DNS server cookies. [GL #4194]
When a primary server for a zone responds to an SOA query, but the subsequent TCP connection required to transfer the zone is refused, that server is marked as temporarily unreachable. This now also happens if the TCP connection attempt times out, preventing too many zones from queuing up on an unreachable server and allowing the refresh process to move on to the next configured primary more quickly. [GL #4215]
The
inline-signing
statement can now also be set insidednssec-policy
. The built-in policiesdefault
andinsecure
enable the use ofinline-signing
. Ifinline-signing
is set at thezone
level, it overrides the value set indnssec-policy
. [GL #3677]To improve query-processing latency under load, the uninterrupted time spent on resolving long chains of cached domain names has been reduced. [GL #4185]
The
dialup
andheartbeat-interval
options have been deprecated and will be removed in a future BIND 9 release. [GL #3700]
Bug Fixes
Setting
dnssec-policy
toinsecure
prevented zones containing resource records with a TTL value larger than 86400 seconds (1 day) from being loaded. This has been fixed by ignoring the TTL values in the zone and using a value of 604800 seconds (1 week) as the maximum zone TTL in key rollover timing calculations. [GL #4032]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.15
Feature Changes
The
relaxed
QNAME minimization mode now uses NS records. This reduces the number of queriesnamed
makes when resolving, as it allows the non-existence of NS RRsets at non-referral nodes to be cached in addition to the normally cached referrals. [GL #3325]
Bug Fixes
The ability to read HMAC-MD5 key files, which was accidentally lost in BIND 9.19.6 and BIND 9.18.8, has been restored. [GL #3668] [GL #4154]
Several minor stability issues with the catalog zone implementation have been fixed. [GL #4132] [GL #4136] [GL #4171]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.14
Security Fixes
The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured
max-cache-size
limit. (CVE-2023-2828)ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention. [GL #4055]
New Features
The read timeout in
rndc
can now be specified on the command line using the-t
option, allowing commands that take a long time to complete sufficient time to do so. [GL #4046]Support for multi-signer model 2 (RFC 8901) when using
inline-signing
was added. [GL #2710]A new option to
dnssec-policy
has been added,cdnskey
, that allows users to enable or disable the publication of CDNSKEY records. [GL #4050]The system test suite can now be executed with pytest (along with pytest-xdist for parallel execution). [GL #3978]
Removed Features
Special-case code that was originally added to allow GSS-TSIG to work around bugs in the Windows 2000 version of Active Directory has now been removed, since Windows 2000 is long past end-of-life. The
-o
option and theoldgsstsig
command tonsupdate
have been deprecated, and are now treated as synonyms for-g
andgsstsig
respectively. [GL #4012]
Feature Changes
If a response from an authoritative server has its RCODE set to FORMERR and contains an echoed EDNS COOKIE option that was present in the query,
named
now retries sending the query to the same server without an EDNS COOKIE option. [GL #4049]The responsiveness of
named
was improved, when serving as an authoritative DNS server for a delegation-heavy zone(s) shortly after loading such zone(s). [GL #4045]
Bug Fixes
When the
stale-answer-enable
option was enabled and thestale-answer-client-timeout
option was enabled and larger than 0,named
previously allocated two slots from theclients-per-query
limit for each client and failed to gradually auto-tune its value, as configured. This has been fixed. [GL #4074]Previously, it was possible for a delegation from cache to be returned to the client after the
stale-answer-client-timeout
duration. This has been fixed. [GL #3950]BIND could allocate too big buffers when sending data via stream-based DNS transports, leading to increased memory usage. This has been fixed. [GL #4038]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.13
New Features
dnstap-read
can now print long timestamps with millisecond precision. [GL #2360]
Bug Fixes
When the same
notify-source
address and port number was configured for multiple destinations and zones, an unresponsive server could tie up the relevant network socket until it timed out; in the meantime, NOTIFY messages for other servers silently failed.named
will now retry sending such NOTIFY messages over TCP. Furthermore, NOTIFY failures are now logged at the INFO level. [GL #4001] [GL #4002]The
max-transfer-time-in
andmax-transfer-idle-in
statements have not had any effect since the BIND 9 networking stack was refactored in version 9.16. The missing functionality has been re-implemented and incoming zone transfers now time out properly when not progressing. [GL #4004]The read timeout in
rndc
is now 60 seconds, matching the behavior in BIND 9.16 and earlier. It had previously been lowered to 30 seconds by mistake. [GL #4046]When the
ISC_R_INVALIDPROTO
(ENOPROTOOPT
,EPROTONOSUPPORT
) error code is returned by libuv, it is now treated as a network failure: the server for which that error code is returned gets marked as broken and is not contacted again during a given resolution process. [GL #4005]When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. [GL #4027]
A flaw in reworked code responsible for accepting TCP connections has been addressed. This issue could cause a visible performance drop for TCP queries on some platforms, notably FreeBSD, and has now been fixed. [GL #3985]
Log file rotation code did not clean up older versions of log files when the logging
channel
had an absolute path configured as afile
destination. This has been fixed. [GL #3991]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.12
Security Fixes
An error in DNS message processing introduced in development version 9.19.11 could cause BIND and its utilities to crash if the maximum permissible number of DNS labels were present. This has been fixed. [GL #3998]
Known Issues
Loading a large number of zones is significantly slower in BIND 9.19.12 than in the previous development releases due to a new data structure being used for storing information about the zones to serve. This slowdown is considered to be a bug and will be addressed in a future BIND 9.19.x development release. [GL #4006]
A flaw in reworked code responsible for accepting TCP connections may cause a visible performance drop for TCP queries on some platforms, notably FreeBSD. This issue will be fixed in a future BIND 9.19.x development release. [GL #3985]
See above for a list of all known issues affecting this BIND 9 branch.
New Features
BIND now depends on liburcu, Userspace RCU, for lock-free data structures. [GL #3934]
The new command-line
delv +ns
option activates name server mode, to more accurately reproduce the behavior ofnamed
when resolving a query. In this mode,delv
uses an internal recursive resolver rather than an external server. All messages sent and received during the resolution and validation process are logged. This can be used in place ofdig +trace
. [GL #3842]A new configuration option,
checkds
, has been introduced. When set toyes
, it detectsparental-agents
automatically by resolving the parent NS records. These name servers are queried to check the DS RRset during a KSK rollover initiated bydnssec-policy
. [GL #3901]
Removed Features
The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been removed and using TKEY Mode 2 is now a fatal error. Users are advised to switch to TKEY Mode 3 (GSS-API). [GL #3905]
Zone type
delegation-only
, and thedelegation-only
androot-delegation-only
statements, have been removed. Using them is a configuration error.These statements were created to address the SiteFinder controversy, in which certain top-level domains redirected misspelled queries to other sites instead of returning NXDOMAIN responses. Since top-level domains are now DNSSEC-signed, and DNSSEC validation is active by default, the statements are no longer needed. [GL #3953]
Feature Changes
The log message
resolver priming query complete
has been moved from the INFO log level to the DEBUG(1) log level, to preventdelv
from emitting that message when setting up its internal resolver. [GL #3842]
Bug Fixes
Several bugs which could cause
named
to crash during catalog zone processing have been fixed. [GL #3955] [GL #3968] [GL #3997]Performance of DNSSEC validation in zones with many DNSKEY records has been improved. [GL #3981]
Notes for BIND 9.19.11
New Features
When using
dnssec-policy
, it is now possible to configure the digest type to use whenCDS
records need to be published withcds-digest-types
. Also, publication of specific CDNSKEY/CDS records can now be set withdnssec-signzone -G
. [GL #3837]
Removed Features
Support for Red Hat Enterprise Linux version 7 (and clones) has been dropped. A C11-compliant compiler is now required to compile BIND 9. [GL #3729]
The functions that were in the
libbind9
shared library have been moved to thelibisc
andlibisccfg
libraries. The now-emptylibbind9
has been removed and is no longer installed. [GL #3903]The
irs_resconf
module has been moved to thelibdns
shared library. The now-emptylibirs
library has been removed and is no longer installed. [GL #3904]
Feature Changes
Catalog zone updates are now run on specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This increases the responsiveness of
named
when catalog zone updates are being applied after a catalog zone has been successfully transferred. [GL #3881]libuv support for receiving multiple UDP messages in a single
recvmmsg()
system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup:Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error.
Running with libuv version higher than 1.34.2 is now a fatal error when
named
is built against libuv version 1.34.2 or lower.Running with libuv version higher than 1.39.0 is now a fatal error when
named
is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0.
This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a single system call. [GL #3840]
Bug Fixes
named
could crash with an assertion failure when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. This has been fixed. [GL #3911]When
named
starts up, it sends a query for the DNSSEC key for each configured trust anchor to determine whether the key has changed. In some unusual cases, the query might depend on a zone for which the server is itself authoritative, and would have failed if it were sent before the zone was fully loaded. This has now been fixed by delaying the key queries until all zones have finished loading. [GL #3673]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.10
New Features
The
forwarders
statement now supports thetls
argument, to be used to forward queries to DoT-enabled servers. [GL #3726]
Removed Features
Specifying a
port
when configuring source addresses (i.e., as an argument toquery-source
,query-source-v6
,transfer-source
,transfer-source-v6
,notify-source
,notify-source-v6
,parental-source
, orparental-source-v6
, or in thesource
orsource-v6
arguments toprimaries
,parental-agents
,also-notify
, orcatalog-zones
) has been deprecated. In addition, theuse-v4-udp-ports
,use-v6-udp-ports
,avoid-v4-udp-ports
, andavoid-v6-udp-ports
options have also been deprecated.Warnings are now logged when any of these options are encountered in
named.conf
. In a future release, they will be made nonfunctional. [GL #3781]The Differentiated Services Code Point (DSCP) feature has been removed: configuring DSCP values in
named.conf
is now a configuration error. [GL #3789]
Feature Changes
The memory statistics have been reduced to a single counter,
InUse
;Malloced
is an alias that holds the same value. The other counters were usable with the old BIND 9 internal memory allocator, but they are unnecessary now that the latter has been removed. [GL #3718]
Bug Fixes
A constant stream of zone additions and deletions via
rndc reconfig
could cause increased memory consumption due to delayed cleaning of view memory. This has been fixed. [GL #3801]The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of NSEC3 hashing, has been improved. [GL #3795]
Pointing
parental-agents
to a resolver did not work because the RD bit was not set on DS requests. This has been fixed. [GL #3783]Building BIND 9 failed when the
--enable-dnsrps
switch for./configure
was used. This has been fixed. [GL #3827]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.9
Security Fixes
An UPDATE message flood could cause
named
to exhaust all available memory. This flaw was addressed by adding a newupdate-quota
option that controls the maximum number of outstanding DNS UPDATE messages thatnamed
can hold in a queue at any given time (default: 100). (CVE-2022-3094)ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523]
named
could crash with an assertion failure when an RRSIG query was received andstale-answer-client-timeout
was set to a non-zero value. This has been fixed. (CVE-2022-3736)ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622]
named
running as a resolver with thestale-answer-client-timeout
option set to any value greater than0
could crash with an assertion failure, when therecursive-clients
soft quota was reached. This has been fixed. (CVE-2022-3924)ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619]
New Features
The new
update-quota
option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523]
Removed Features
The statements setting alternate local addresses for inbound zone transfers (
alt-transfer-source
,alt-transfer-source-v6
, anduse-alt-transfer-source
) have been removed. [GL #3714]The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in
named.conf
now causes a warning to be logged. [GL #3773]
Feature Changes
A new way of configuring the preferred source address when talking to remote servers, such as
primaries
andparental-agents
, has been added: setting thesource
and/orsource-v6
arguments for a given statement is now possible. This new approach is intended to eventually replace statements such asparental-source
,parental-source-v6
,transfer-source
, etc. [GL #3762]The code for DNS over TCP and DNS over TLS transports has been replaced with a new, unified transport implementation. [GL #3374]
Bug Fixes
A rare assertion failure was fixed in outgoing TCP DNS connection handling. [GL #3178] [GL #3636]
In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3752]
In certain query resolution scenarios (e.g. when following CNAME records),
named
configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678]When an outgoing request timed out,
named
would retry up to three times with the same server instead of trying the next available name server. This has been fixed. [GL #3637]Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. [GL #3739]
The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. [GL #3743]
Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [GL #3725]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.8
Removed Features
The
coresize
,datasize
,files
, andstacksize
options have been removed. The limits these options set should be enforced externally, either by manual configuration (e.g. usingulimit
) or via the process supervisor (e.g.systemd
). [GL #3676]Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no longer trigger key rollovers and denial-of-existence operations. This also means that the
dnssec-secure-to-insecure
option has been obsoleted. [GL #3686]
Feature Changes
The TTL of the NSEC3PARAM record for every NSEC3-signed zone was previously set to 0. It is now changed to match the SOA MINIMUM value for the given zone. [GL #3570]
The
--with-tuning
option forconfigure
has been removed. Each of the compile-time settings that required different values based on the “workload” (which were previously affected by the value of the--with-tuning
option) has either been removed or changed to a sensible default. [GL #3664]The
auto-dnssec
option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate todnssec-policy
. [GL #3667]Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (
alt-transfer-source
,alt-transfer-source-v6
, anduse-alt-transfer-source
) will be removed in a future BIND 9.19.x release. [GL #3694]On startup,
named
now sets the limit on the number of open files to the maximum allowed by the operating system, instead of trying to set it to “unlimited”. [GL #3676]The number of HTTP headers allowed in requests sent to
named
’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. [GL #3670]
Bug Fixes
named
could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). This has been fixed. [GL #3693]When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the
named
process to crash. This has been fixed. [GL #3683]When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727]
TLS configuration for primary servers was not applied for zones that were members of a catalog zone. This has been fixed. [GL #3638]
In certain cases,
named
waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183]host
andnslookup
command-line options setting the custom TCP/UDP port to use were ignored for ANY queries (which are sent over TCP). This has been fixed. [GL #3721]The new name compression code in BIND 9.19.7 was not compressing names in zone transfers that should have been compressed, so zone transfers were larger than before. This has been fixed. [GL #3706]
The
zone <name>/<class>: final reference detached
log message was moved from the INFO log level to the DEBUG(1) log level to prevent thenamed-checkzone
tool from superfluously logging this message in non-debug mode. [GL #3707]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.7
New Features
The
check-svcb
option has been added to control the checking of additional constraints on SVCB records. This change affectsnamed
,named-checkconf
,named-checkzone
,named-compilezone
, andnsupdate
. [GL #3576]
Feature Changes
On Linux, libcap is now a required dependency to help
named
keep needed privileges. [GL #3583]The DNS name compression algorithm used in BIND 9 has been revised: it now compresses more thoroughly than before, so responses containing names with many labels might have a smaller encoding than before. [GL #3661]
Bug Fixes
A crash was fixed that happened when a
dnssec-policy
zone that used NSEC3 was reconfigured to enableinline-signing
. [GL #3591]In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3598]
rpz-ip
rules inresponse-policy
zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. This has been fixed. [GL #3247]Previously, if Internet connectivity issues were experienced during the initial startup of
named
, a BIND resolver withdnssec-validation
set toauto
could enter into a state where it would not recover without stoppingnamed
, manually deleting themanaged-keys.bind
andmanaged-keys.bind.jnl
files, and startingnamed
again. This has been fixed. [GL #2895]Previously, the port in remote servers such as in
primaries
andparental-agents
could be wrongly configured because of an inheritance bug. This has been fixed. [GL #3627]Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. [GL #3563]
When a DNS resource record’s TTL value was equal to the resolver’s configured
prefetch
“eligibility” value, the record was erroneously not treated as eligible for prefetching. This has been fixed. [GL #3603]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.6
Known Issues
Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may require a manual configuration change. The following configurations are affected:
type primary
zones configured withdnssec-policy
but without eitherallow-update
orupdate-policy
,type secondary
zones configured withdnssec-policy
.
In these cases please add
inline-signing yes;
to the individual zone configuration(s). Without applying this change,named
will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signingSee above for a list of all known issues affecting this BIND 9 branch.
New Features
Support for parsing and validating the
dohpath
service parameter in SVCB records was added. [GL #3544]named
now supports forwarding Dynamic DNS updates through DNS-over-TLS (DoT). [GL #3512]The
nsupdate
tool now supports DNS-over-TLS (DoT). [GL #1781]named
now logs the supported cryptographic algorithms during startup and in the output ofnamed -V
. [GL #3541]A new configuration option
require-cookie
has been introduced. It specifies whether there should be a DNS COOKIE in the response for a given prefix; if not,named
falls back to TCP. This is useful if it is known that a given server supports DNS COOKIE. It can also be used to force all non-DNS COOKIE responses to fall back to TCP. [GL #2295]Support for libsystemd’s
sd_notify()
function was added, enablingnamed
to report its status to the init system. This allows systemd to wait untilnamed
is fully ready before starting other services that depend on name resolution. [GL #1176]The
recursion not available
andquery (cache) '...' denied
log messages were extended to include the name of the ACL that caused a given query to be denied. [GL #3587]
Feature Changes
When an international domain name is not valid according to IDNA2008,
dig
now tries to convert it according to IDNA2003 rules, or pass it through unchanged, instead of stopping with an error message. Theidna2
utility can be used to check IDNA syntax. [GL #3527]The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by “+”, followed by the key ID: for example,
8+54274
. [GL #3525]The ability to use PKCS#11 via engine_pkcs11 has been restored, by using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be compiled with
-DOPENSSL_API_COMPAT=10100
specified in the CFLAGS environment variable at compile time. [GL #3578]Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. libuv should be available on all supported platforms either as a native package or as a backport. [GL #3567]
Bug Fixes
An assertion failure was fixed in
named
that was caused by aborting the statistics channel connection while sending statistics data to the client. [GL #3542]named
could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. This has been fixed. [GL #1967]Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. This has been fixed. [GL #3557]
Notes for BIND 9.19.5
Security Fixes
Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of
named
running as a recursive resolver. This has been fixed. (CVE-2022-2795)ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394]
When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) [GL #3493]
Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) [GL #3491]
named
running as a resolver with thestale-answer-client-timeout
option set to0
could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517]Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487]
New Features
A new Response Policy Zone (RPZ) option,
ede
, was added. It enables an RFC 8914 Extended DNS Error (EDE) code of choice to be set for responses which have been modified by a given RPZ. [GL #3410]Worker threads’ event loops are now managed by a new “loop manager” API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. [GL #3508]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using
dnssec-policy
now require dynamic DNS orinline-signing
to be configured explicitly. [GL #3381]When reconfiguring
dnssec-policy
from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. [GL #3486]A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in
dig
and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.4
Removed Features
The use of the
max-zone-ttl
option inoptions
andzone
blocks has been deprecated; it should now be configured as part ofdnssec-policy
. A warning is logged if this option is used inoptions
orzone
blocks. In a future release, it will become nonoperational. [GL #2918]
Feature Changes
The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]
Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]
Bug Fixes
When running as a validating resolver forwarding all queries to another resolver,
named
could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response andnamed
failed its attempts to find a proper one instead. This has been fixed. [GL #3439]DNS compression is no longer applied to the root name (
.
) if it is repeatedly used in the same RRset. [GL #3423]Non-dynamic zones that inherit
dnssec-policy
from theview
oroptions
blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438]rndc dumpdb -expired
was fixed to include expired RRsets, even ifstale-cache-enable
is set tono
and the cache-cleaning time window has passed. [GL #3462]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.3
New Features
A new command,
rndc fetchlimit
, prints a list of name server addresses that are currently rate-limited due tofetches-per-server
and domain names that are rate-limited due tofetches-per-zone
. [GL #665]
Removed Features
The
glue-cache
option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]
Feature Changes
To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if
stale-cache-enable
is set toyes
. [GL #3386]The
dnssec-signzone -H
default value has been changed to 0 additional NSEC3 iterations. This change aligns thednssec-signzone
default with the default used by thednssec-policy
feature. At the same time, documentation about NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]
When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec
could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]Previously,
named
immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed:named
acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]Previously,
rndc reconfig
did not pick up changes toendpoints
statements inhttp
blocks. This has been fixed. [GL #3415]It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.2
Feature Changes
New
dnssec-policy
configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]
Bug Fixes
The
fetches-per-server
quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]
Key files were updated every time the
dnssec-policy
key manager ran, whether the metadata had changed or not.named
now checks whether changes were applied before writing out the key files. [GL #3302]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.1
Security Fixes
Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in
named
instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]
New Features
Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by
named
. All of the previously supported BIND-specific catalog zone custom properties (primaries
,allow-query
, andallow-transfer
), as well as the new Change of Ownership (coo
) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, theversion
property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]Support DNS Extended Errors (RFC 8914)
Stale Answer
andStale NXDOMAIN Answer
when stale answers are returned from cache. [GL #2267]The Object Identifier (OID) embedded at the start of a PRIVATEOID public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. The Object Identifier is now printed when the
dig +rrcomments
option is used. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3234]The Object Identifier (OID) embedded at the start of a PRIVATEOID signature in a SIG, or RRSIG resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3296]
Bug Fixes
Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the
auto-dnssec maintain;
option. This has been fixed. [GL #2931]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.0
Known Issues
According to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]See above for a list of all known issues affecting this BIND 9 branch.
New Features
Add support for remote TLS certificate verification, both to
named
anddig
, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]dnssec-verify
anddnssec-signzone
now accept a-J
option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]
Removed Features
The
keep-response-order
option has been declared obsolete and the functionality has been removed.named
expects DNS clients to be fully compliant with RFC 7766. [GL #3140]
Feature Changes
Run RPZ updates on the specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This should increase the responsiveness of
named
when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744]
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING
file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.19 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.20, which will be a stable branch. The end-of-life date for BIND 9.20 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.