Release Notes

Introduction

BIND 9.19 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.20 release, this document will be updated with additional features added and bugs fixed. Please see the CHANGES file for a more detailed list of changes and bug fixes.

Supported Platforms

See the Supported Platforms section in the Resource Requirements chapter.

Download

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Notes for BIND 9.19.6

Security Fixes

  • None.

Known Issues

  • None.

New Features

  • None.

  • A new configuration option require-cookie has been introduced, it specifies if there should be a DNS COOKIE in the response for a given prefix and if not named falls back to TCP. This is useful if you know a given server support DNS COOKIE. It can also be used to force all non DNS COOKIE responses to fall back to TCP. [GL #2295]

  • Add libsystemd sd_notify() integration that allows the named to report status to the supervisor. This allows the systemd to wait until named is fully started before starting other services that depend on name resolution. [GL #1176]

  • The nsupdate tool now supports DNS-over-TLS (DoT). [GL #1781]

  • :iscman:named now supports forwarding Dynamic DNS updates through DNS-over-TLS (DoT), configured with a TLS-enabled primary server. [GL #3512]

  • named now logs the supported cryptographic algorithms during startup and in the output of named -V. [GL #3541]

Removed Features

  • None.

Feature Changes

  • When an international domain name is not valid according to IDNA2008, dig will now try to convert it according to IDNA2003 rules, or pass it through unchanged, instead of stopping with an error message. You can use the idna2 utility for checking IDNA syntax. [GL #3485].

  • The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by “+”, followed by the key ID: for example, “8+54274”. [GL #3525]

  • The ability to use pkcs11 via engine_pkcs11 has been restored, by only using deprecated APIs in OpenSSL 3.0.0. BIND needs to be compiled with ‘-DOPENSSL_API_COMPAT=10100’ specified in the CFLAGS at compile time. [GL !6711]

  • Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. The libuv should be available on all supported platforms either as a native package or as a backport. [GL #3567]

Bug Fixes

  • An assertion failure was fixed in named that was caused by aborting the statistics channel connection while sending statistics data to the client. [GL #3542]

  • named could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. [GL #1967]

  • Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. [GL #3557]

Notes for BIND 9.19.5

Security Fixes

  • Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of named running as a recursive resolver. This has been fixed. (CVE-2022-2795)

    ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394]

  • When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) [GL #3493]

  • Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) [GL #3491]

  • named running as a resolver with the stale-answer-client-timeout option set to 0 could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517]

  • Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487]

New Features

  • A new Response Policy Zone (RPZ) option, ede, was added. It enables an RFC 8914 Extended DNS Error (EDE) code of choice to be set for responses which have been modified by a given RPZ. [GL #3410]

  • Worker threads’ event loops are now managed by a new “loop manager” API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. [GL #3508]

Feature Changes

  • Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459]

  • Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. [GL #3381]

  • When reconfiguring dnssec-policy from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. [GL #3486]

  • A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in dig and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485]

Bug Fixes

  • A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]

Notes for BIND 9.19.4

Removed Features

Feature Changes

  • The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]

  • Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]

Bug Fixes

  • When running as a validating resolver forwarding all queries to another resolver, named could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response and named failed its attempts to find a proper one instead. This has been fixed. [GL #3439]

  • DNS compression is no longer applied to the root name (.) if it is repeatedly used in the same RRset. [GL #3423]

  • Non-dynamic zones that inherit dnssec-policy from the view or options blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438]

  • rndc dumpdb -expired was fixed to include expired RRsets, even if stale-cache-enable is set to no and the cache-cleaning time window has passed. [GL #3462]

Notes for BIND 9.19.3

New Features

Removed Features

  • The glue-cache option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]

Feature Changes

Bug Fixes

  • An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]

  • When grafting non-delegated namespace onto delegated namespace, synth-from-dnssec could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]

  • Previously, named immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed: named acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]

  • Previously, rndc reconfig did not pick up changes to endpoints statements in http blocks. This has been fixed. [GL #3415]

  • It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]

Notes for BIND 9.19.2

Feature Changes

  • New dnssec-policy configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]

Bug Fixes

  • The fetches-per-server quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]

  • DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]

  • Key files were updated every time the dnssec-policy key manager ran, whether the metadata had changed or not. named now checks whether changes were applied before writing out the key files. [GL #3302]

Notes for BIND 9.19.1

Security Fixes

  • Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in named instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.

    ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]

New Features

  • Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by named. All of the previously supported BIND-specific catalog zone custom properties (primaries, allow-query, and allow-transfer), as well as the new Change of Ownership (coo) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, the version property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]

  • Support DNS Extended Errors (RFC 8914) Stale Answer and Stale NXDOMAIN Answer when stale answers are returned from cache. [GL #2267]

  • The Object Identifier (OID) embedded at the start of a PRIVATEOID public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. The Object Identifier is now printed when the dig +rrcomments option is used. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3234]

  • The Object Identifier (OID) embedded at the start of a PRIVATEOID signature in a SIG, or RRSIG resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3296]

Bug Fixes

  • Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the auto-dnssec maintain; option. This has been fixed. [GL #2931]

Notes for BIND 9.19.0

Known Issues

  • According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

New Features

  • Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]

  • dnssec-verify and dnssec-signzone now accept a -J option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]

Removed Features

  • The keep-response-order option has been declared obsolete and the functionality has been removed. named expects DNS clients to be fully compliant with RFC 7766. [GL #3140]

Feature Changes

  • Run RPZ updates on the specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This should increase the responsiveness of named when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]

License

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

End of Life

BIND 9.19 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.20, which will be a stable branch. The end-of-life date for BIND 9.20 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.16, which will be supported until at least December 2023. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible.