diff options
Diffstat (limited to 'RELEASE-NOTES-BIND-9.6-ESV.txt')
-rw-r--r-- | RELEASE-NOTES-BIND-9.6-ESV.txt | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/RELEASE-NOTES-BIND-9.6-ESV.txt b/RELEASE-NOTES-BIND-9.6-ESV.txt new file mode 100644 index 0000000..028c16d --- /dev/null +++ b/RELEASE-NOTES-BIND-9.6-ESV.txt @@ -0,0 +1,133 @@ + __________________________________________________________________ + +Introduction + + BIND 9.6-ESV-R3 is a maintenance release for BIND 9.6-ESV. + + This document summarizes changes from BIND 9.6-ESV-R1 to BIND + 9.6-ESV-R3. Please see the CHANGES file in the source code release for + a complete list of all changes. + +Download + + The latest release of BIND 9 software can always be found on our web + site at http://www.isc.org/software/bind. There you will find + additional information about each release, source code, and some + pre-compiled versions for certain operating systems. + +Support + + Product support information is available on + http://www.isc.org/services/support for paid support options. Free + support is provided by our user community via a mailing list. + Information on all public email lists is available at + https://lists.isc.org/mailman/listinfo. + +New Features + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Feature Changes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + None. + +Security Fixes + +9.6-ESV-R2 + + None. + +9.6-ESV-R3 + + * Adding a NO DATA signed negative response to cache failed to clear + any matching RRSIG records already in cache. A subsequent lookup of + the cached NO DATA entry could crash named (INSIST) when the + unexpected RRSIG was also returned with the NO DATA cache entry. + [RT #22288] [CVE-2010-3613] [VU#706148] + * BIND, acting as a DNSSEC validator, was determining if the NS RRset + is insecure based on a value that could mean either that the RRset + is actually insecure or that there wasn't a matching key for the + RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY + RRset. This can happen when in the middle of a DNSKEY algorithm + rollover, when two different algorithms were used to sign a zone + but only the new set of keys are in the zone DNSKEY RRset. [RT + #22309] [CVE-2010-3614] [VU#837744] + +Bug Fixes + +9.6-ESV-R2 + + * Check that named successfully skips NSEC3 records that fail to + match the NSEC3PARAM record currently in use. [RT #21868] + * Worked around a race condition in the cache database memory + handling. Without this fix a DNS cache DB or ADB could incorrectly + stay in an over memory state, effectively refusing further caching, + which subsequently made a BIND 9 caching server unworkable. [RT + #21818] + * BIND did not properly handle non-cacheable negative responses from + insecure zones. This caused several non-protocol-compliant zones to + become unresolvable. BIND is now more accepting of responses it + receives from less strict servers. [RT #21555] + * The resolver could attempt to destroy a fetch context too soon, + resulting in a crash. [RT #19878] + * The placeholder negative caching element was not properly + constructed triggering a crash (INSIST) in dns_ncache_towire(). [RT + #21346] + * Handle the introduction of new trusted-keys and DS, DLV RRsets + better. [RT #21097] + * Fix arguments to dns_keytable_findnextkeynode() call. [RT #20877] + +9.6-ESV-R3 + + * Microsoft changed the behavior of sockets between NT/XP based + stacks vs Vista/windows7 stacks. Server 2003/2008 have the older + behavior, 2008r2 has the new behavior. With the change, different + error results are possible, so ISC adapted BIND to handle the new + error results. This resolves an issue where sockets would shut down + on Windows servers causing named to stop responding to queries. [RT + #21906] + * Windows has non-POSIX compliant behavior in its rename() and + unlink() calls. This caused journal compaction to fail on Windows + BIND servers with the log error: "dns_journal_compact failed: + failure". [RT #22434] + * 'host -D' now turns on debugging messages earlier. [RT #22361] + * isc_print_vsnprintf() failed to check if there was space available + in the buffer when adding a left justified character with a non + zero width, (e.g. "%-1c"). [RT #22270] + * view->queryacl was being overloaded. Seperate the usage into + view->queryacl, view->cacheacl and view->queryonacl. [RT #22114] + * win32: add more dependencies to BINDBuild.dsw. [RT #22062] + * win32: named-checkzone and named-checkconf failed to initialise + winsock. [RT #21932] + * named failed to generate a correct signed response in a optout, + delegation only zone with no secure delegations. [RT #22007] + +Known issues in this release + + * "make test" will fail on OSX and possibly other operating systems. + The failure occurs in a new test to check for allow-query ACLs. The + failure is caused because the source address is not specified on + the dig commands issued in the test. + If running "make test" is part of your usual acceptance process, + please edit the file bin/tests/system/allow_query/test.sh and add + -b 10.53.0.2 + to the DIGOPTS line. + +Thank You + + Thank you to everyone who assisted us in making this release possible. + If you would like to contribute to ISC to assist us in continuing to + make quality open source software, please visit our donations page at + http://www.isc.org/supportisc. |