summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/RELEASE-NOTES-BIND-9.6.3.txt
blob: c2a5d5325b858245601dcc893216c7862f57607f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
     __________________________________________________________________

Introduction

   BIND 9.6.3 is the current release of BIND 9.6.

   This document summarizes changes from BIND 9.6.2-P2 to BIND 9.6.3.
   Please see the CHANGES file in the source code release for a complete
   list of all changes.

Download

   The latest development version of BIND 9 software can always be found
   on our web site at http://www.isc.org/downloads/development. There you
   will find additional information about each release, source code, and
   some pre-compiled versions for certain operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options. Free
   support is provided by our user community via a mailing list.
   Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

New Features

9.6.3

   None.

Feature Changes

9.6.3

   None.

Security Fixes

9.6.2-P3

     * Adding a NO DATA signed negative response to cache failed to clear
       any matching RRSIG records already in cache. A subsequent lookup of
       the cached NO DATA entry could crash named (INSIST) when the
       unexpected RRSIG was also returned with the NO DATA cache entry.
       [RT #22288] [CVE-2010-3613] [VU#706148]
     * BIND, acting as a DNSSEC validator, was determining if the NS RRset
       is insecure based on a value that could mean either that the RRset
       is actually insecure or that there wasn't a matching key for the
       RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY
       RRset. This can happen when in the middle of a DNSKEY algorithm
       rollover, when two different algorithms were used to sign a zone
       but only the new set of keys are in the zone DNSKEY RRset. [RT
       #22309] [CVE-2010-3614] [VU#837744]

Bug Fixes

9.6.3

     * BIND now builds with threads disabled in versions of NetBSD earlier
       than 5.0 and with pthreads enabled by default in NetBSD versions
       5.0 and higher. Also removes support for unproven-pthreads,
       mit-pthreads and ptl2. [RT #19203]
     * HPUX now correctly defaults to using /dev/poll, which should
       increase performance. [RT #21919]
     * If named is running as a threaded application, after an "rndc stop"
       command has been issued, other inbound TCP requests can cause named
       to hang and never complete shutdown. [RT #22108]
     * When performing a GSS-TSIG signed dynamic zone update, memory could
       be leaked. This causes an unclean shutdown and may affect
       long-running servers. [RT #22573]
     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
     * Corrected a defect where a combination of dynamic updates and zone
       transfers incorrectly locked the in-memory zone database, causing
       named to freeze. [RT #22614]
     * Don't run MX checks (check-mx) when the MX record points to ".".
       [RT #22645]
     * DST key reference counts can now be incremented via dst_key_attach.
       [RT #22672]
     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
       attr. [RT #22766]
     * The Kerberos realm was being truncated when being pulled from the
       the host prinicipal, make krb5-self updates fail. [RT #22770]
     * named failed to preserve the case of domain names in RDATA which is
       not compressible when writing master files. [RT #22863]
     * There was a bug in how the clients-per-query code worked with some
       query patterns. This could result, in rare circumstances, in having
       all the client query slots filled with queries for the same DNS
       label, essentially ignoring the max-clients-per-query setting. [RT
       #22972]

9.6.2-P3

     * Worked around a race condition in the cache database memory
       handling. Without this fix a DNS cache DB or ADB could incorrectly
       stay in an over memory state, effectively refusing further caching,
       which subsequently made a BIND 9 caching server unworkable. [RT
       #21818]
     * Microsoft changed the behavior of sockets between NT/XP based
       stacks vs Vista/windows7 stacks. Server 2003/2008 have the older
       behavior, 2008r2 has the new behavior. With the change, different
       error results are possible, so ISC adapted BIND to handle the new
       error results. This resolves an issue where sockets would shut down
       on Windows servers causing named to stop responding to queries. [RT
       #21906]
     * Windows has non-POSIX compliant behavior in its rename() and
       unlink() calls. This caused journal compaction to fail on Windows
       BIND servers with the log error: "dns_journal_compact failed:
       failure". [RT #22434]

Thank You

   Thank you to everyone who assisted us in making this release possible.
   If you would like to contribute to ISC to assist us in continuing to
   make quality open source software, please visit our donations page at
   http://www.isc.org/supportisc.
OpenPOWER on IntegriCloud