diff options
Diffstat (limited to 'contrib/bind9/README')
-rw-r--r-- | contrib/bind9/README | 188 |
1 files changed, 69 insertions, 119 deletions
diff --git a/contrib/bind9/README b/contrib/bind9/README index 9d839b4..88d799e 100644 --- a/contrib/bind9/README +++ b/contrib/bind9/README @@ -51,119 +51,64 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes -BIND 9.8.5 - - BIND 9.8.5 includes several bug fixes and patches security - flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. - -BIND 9.8.4 - - BIND 9.8.4 includes several bug fixes and patches security - flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244. - -BIND 9.8.3 - - BIND 9.8.3 is a maintenance release. - -BIND 9.8.2 - - BIND 9.8.2 includes a number of bug fixes and prevents a security - problem described in CVE-2011-4313 - -BIND 9.8.1 - - BIND 9.8.1 includes a number of bug fixes and enhancements from - BIND 9.8 and earlier releases. New features include: - - - The DLZ "dlopen" driver is now built by default. - - Added a new include file with function typedefs - for the DLZ "dlopen" driver. - - Made "--with-gssapi" default. - - More verbose error reporting from DLZ LDAP. - -BIND 9.8.0 - - BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier - releases. New features include: - - - Built-in trust anchor for the root zone, which can be - switched on via "dnssec-validation auto;" - - Support for DNS64. - - Support for response policy zones (RPZ). - - Support for writable DLZ zones. - - Improved ease of configuration of GSS/TSIG for - interoperability with Active Directory - - Support for GOST signing algorithm for DNSSEC. - - Removed RTT Banding from server selection algorithm. - - New "static-stub" zone type. - - Allow configuration of resolver timeouts via - "resolver-query-timeout" option. - -BIND 9.7.0 - - BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier - releases. Most are intended to simplify DNSSEC configuration. - - New features include: - - - Fully automatic signing of zones by "named". - - Simplified configuration of DNSSEC Lookaside Validation (DLV). - - Simplified configuration of Dynamic DNS, using the "ddns-confgen" - command line tool or the "local" update-policy option. (As a side - effect, this also makes it easier to configure automatic zone - re-signing.) - - New named option "attach-cache" that allows multiple views to - share a single cache. - - DNS rebinding attack prevention. - - New default values for dnssec-keygen parameters. - - Support for RFC 5011 automated trust anchor maintenance - - Smart signing: simplified tools for zone signing and key - maintenance. - - The "statistics-channels" option is now available on Windows. - - A new DNSSEC-aware libdns API for use by non-BIND9 applications - - On some platforms, named and other binaries can now print out - a stack backtrace on assertion failure, to aid in debugging. - - A "tools only" installation mode on Windows, which only installs - dig, host, nslookup and nsupdate. - - Improved PKCS#11 support, including Keyper support and explicit - OpenSSL engine selection. - - Known issues in this release: - - - In rare cases, DNSSEC validation can leak memory. When this - happens, it will cause an assertion failure when named exits, - but is otherwise harmless. A fix exists, but was too late for - this release; it will be included in BIND 9.7.1. - - Compatibility notes: - - - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, - ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then - you should ensure that all changes that are in progress have - completed prior to upgrading to BIND 9.7. BIND 9.7 implements - those features in a way which is not backwards compatible. - - - Prior releases had a bug which caused HMAC-SHA* keys with long - secrets to be used incorrectly. Fixing this bug means that older - versions of BIND 9 may fail to interoperate with this version - when using TSIG keys. If this occurs, the new "isc-hmac-fixup" - tool will convert a key with a long secret into a form that works - correctly with all versions of BIND 9. See the "isc-hmac-fixup" - man page for additional details. - - - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID. - It is possible for the new key ID to collide with that of a - different key. Newly generated keys will not have this problem, - as "dnssec-keygen" looks for potential collisions before - generating keys, but exercise caution if using key revokation - with keys that were generated by older versions of BIND 9. See - the Administrator's Reference Manual, section 4.10 ("Dynamic - Trust Anchor Management") for more details. - - - A bug was fixed in which a key's scheduled inactivity date was - stored incorectly. Users who participated in the 9.7.0 BETA test - and had DNSSEC keys with scheduled inactivity dates will need to - reset those keys' dates using "dnssec-settime -I". +BIND 9.9.3 + + BIND 9.9.3 is a maintenance release and patches the security + flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266. + +BIND 9.9.2 + + BIND 9.9.2 is a maintenance release and patches the security + flaw described in CVE-2012-4244. + +BIND 9.9.1 + + BIND 9.9.1 is a maintenance release. + +BIND 9.9.0 + + BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier + releases. New features include: + + - Inline signing, allowing automatic DNSSEC signing of + master zones without modification of the zonefile, or + "bump in the wire" signing in slaves. + - NXDOMAIN redirection. + - New 'rndc flushtree' command clears all data under a given + name from the DNS cache. + - New 'rndc sync' command dumps pending changes in a dynamic + zone to disk without a freeze/thaw cycle. + - New 'rndc signing' command displays or clears signing status + records in 'auto-dnssec' zones. + - NSEC3 parameters for 'auto-dnssec' zones can now be set prior + to signing, eliminating the need to initially sign with NSEC. + - Startup time improvements on large authoritative servers. + - Slave zones are now saved in raw format by default. + - Several improvements to response policy zones (RPZ). + - Improved hardware scalability by using multiple threads + to listen for queries and using finer-grained client locking + - The 'also-notify' option now takes the same syntax as + 'masters', so it can used named masterlists and TSIG keys. + - 'dnssec-signzone -D' writes an output file containing only DNSSEC + data, which can be included by the primary zone file. + - 'dnssec-signzone -R' forces removal of signatures that are + not expired but were created by a key which no longer exists. + - 'dnssec-signzone -X' allows a separate expiration date to + be specified for DNSKEY signatures from other signatures. + - New '-L' option to dnssec-keygen, dnssec-settime, and + dnssec-keyfromlabel sets the default TTL for the key. + - dnssec-dsfromkey now supports reading from standard input, + to make it easier to convert DNSKEY to DS. + - RFC 1918 reverse zones have been added to the empty-zones + table per RFC 6303. + - Dynamic updates can now optionally set the zone's SOA serial + number to the current UNIX time. + - DLZ modules can now retrieve the source IP address of + the querying client. + - 'request-ixfr' option can now be set at the per-zone level. + - 'dig +rrcomments' turns on comments about DNSKEY records, + indicating their key ID, algorithm and function + - Simplified nsupdate syntax and added readline support Building @@ -193,12 +138,12 @@ Building AIX 4.3, 5L CentOS 4, 4.5, 5 Darwin 9.0.0d1/ARM - Debian 4 - Fedora Core 5, 7 - FreeBSD 6.1 + Debian 4, 5, 6 + Fedora Core 5, 7, 8 + FreeBSD 6, 7, 8 HP-UX 11.23 PA - MacOS X 10.4, 10.5 - Red Hat Enterprise Linux 4, 5 + MacOS X 10.5, 10.6, 10.7 + Red Hat Enterprise Linux 4, 5, 6 SCO OpenServer 5.0.6 Slackware 9, 10 SuSE 9, 10 @@ -219,7 +164,8 @@ Building CFLAGS C compiler flags. Defaults to include -g and/or -O2 - as supported by the compiler. + as supported by the compiler. Please include '-g' + if you need to set CFLAGS. STD_CINCLUDES System header file directories. Can be used to specify @@ -336,6 +282,10 @@ Building libraries. sh-utils-1.16 provides a "printf" which compiles on SunOS 4. +Known limitations + + Linux requires kernel build 2.6.39 or later to get the + performance benefits from using multiple sockets. Documentation |