SukmoonLee Blog

지금 운영중인 BIND중에서 가장 안정화 버전이라고 할수 있는 9.7.x가 오늘 업데이트가 되었습니다.
9.8.x와 9.9.x가 있지만, 아직까지는 9.7이 가장 좋을것 같네요.

소스를 확인해보니 작년 11월에 릴리즈된 9.7.4-P1 과는 변경된 부분이 상당히 많네요.

Introduction

BIND 9.7.5 is the most recent production release of BIND 9.7.

This document summarizes changes from BIND 9.7.4 to BIND 9.7.5.
Please see the CHANGES file in the source code release for a
complete list of all changes.

Download

The latest versions of BIND 9 software can always be found on our
web site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and
pre-compiled versions for Microsoft Windows operating systems.

Support

Product support information is available on
http://www.isc.org/services/support for paid support options.
Free support is provided by our user community via a mailing list.
Information on all public email lists is available at

https://lists.isc.org/mailman/listinfo.

Security Fixes

+ BIND 9 nameservers performing recursive queries could cache an
invalid record and subsequent queries for that record could
crash the resolvers with an assertion failure. [RT #26590]
[CVE-2011-4313]

Feature Changes

+ It is now possible to explicitly disable DLV in named.conf by
specifying “dnssec-lookaside no;”. This is the default, but the
ability to configure it makes it clearly visible to administrators.
[RT #24858]

+ –enable-developer, a new composite argument to the configure
script, enables a set of build options normally disabled but
frequently selected in test or development builds, specifically:
enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
Darwin, also enable_exportlib) [RT #27103]

Bug Fixes

+ Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota
if the zone was being removed. [RT #28419]

+ A parser bug could cause named to crash while reading a malformed
zone file. [RT #28467]

+ Fixed a problem preventing proper use of 64 bit time values in
libbind. [RT # 26542]

+ isccc/cc.c:table_fromwire could fail to free an allocated object on
error, leading to a possible memory leak condition. [RT #28265]

+ Fixed a build error on systems without ENOTSUP. [RT #28200]

+ The header file isc/hmacsha.h is now installed when building BIND.
[RT #28169]

+ Resolves spurious test failures in ans.pl by updating it to work
correctly with Net::DNS 0.68 [RT #28028]

+ Corrects a potential overflow problem in the computation of
RRSIG expiration times. [RT #23311]

+ The managed key maintenance timer could fail to restart after ‘rndc
reconfig’ resulting in managed keys not being properly added to
managed-keys.bind [RT #27686]

+ The maximum number of NSEC3 iterations for a DNSKEY RRset was
not being properly computed. [RT #26543]

+ Error reporting has been improved for failures encountered
when sending or receiving network packets. In particular
some memory allocation failures were being logged as “unexpected
error” – these will now be reported accurately. A new
ISC_R_UNSET result code has also been added to cover those
situations where there is no error code returned by the OS
sockets implementation. [RT #27336]

+ Corrects an INSIST failure by addressing race conditions in
the handling of rbtnode.deadlink. [RT #27738]

+ SOA refresh queries could be treated as cancelled despite
succeeding over the loopback interface. [RT #27782]

+ When replacing an NS RRset, BIND now restricts the TTL of the
new NS RRset to no more than that of the NS RRset it replaces
to fix a timing problem that can arise when removing a delegation.
[RT #27792/27884]

+ Raw zones with with more than 512 records in a RRset previously
failed to load. [RT #27863]

+ Make sure automatic key maintenance is started when “rndc reconfig”
is issued if “auto-dnssec maintain” is turned on. [RT #26805]

+ Windows builds are now restricted to a single listener thread
until incompatibility with the multiple listeners code can be
addressed [RT #27696]

+ AAAA responses could be returned in the additional section even
when filter-aaaa-on-v4 was in use. [RT #27292]

+ Some query patterns could cause responses not to be returned
in cyclic order though “rrset-order cyclic” was set. [RT
#27170/27185]

+ named-compilezone now longer emits “dump zone to ” message
when writing to stdout. [RT #27109]

+ Sets isc_socket_ipv6only() on the IPv6 control channels. This
addresses IPv6 socket binding problems that can occur in some
configurations when bindv6only=1 is set globally. [RT #22249]

+ named now reports a syntax error when a TXT record longer than
255 characters is configured. [RT #26956]

+ Addresses race conditions in the resolver code that can cause
named to abort. [RT #26889]

+ Fixed a bug that could cause named to crash while loading a
zone with invalid DNSKEY records. [RT #26913]

+ Prevents dig -6 +trace from terminating with an error when
encountering a root nameserver without an AAAA record. RT #26906]

+ Prevents DNSKEY state change events from being missed by ensuring
that the timestamps used to determine which keys are in use are
set appropriately. [RT #26874]

+ When processing a list of keys, named now consistently compares
them with the same timestamp. [RT #26883]

+ Fixed a corner case race condition in the validator that may
cause an assert in a multi-threaded build of BIND. [RT #26478]

+ Poor error handling could cause named to hang during shutdown.
[RT #26372]

+ named now correctly validates DNSSEC positive wildcard responses
from NSEC3 signed zones. [RT #26200]

+ The order in which we process the reactivation of a dead node
in cache and the incrementing of its reference count created a
small timing window during which an inconsistency could be
detected and an assert occur in a multi-threaded environment.
This should no longer occur. [RT #23219]

+ Master servers that had previously been marked as unreachable
because of failed zone transfer attempts will now be removed
from the “unreachable” list (i.e. considered reachable again)
if the slave receives a NOTIFY message from them. [RT #25960]

+ Fixes a bug in zone.c where failure to delete signatures could
lead to an assertion failure and subsequent abort. [RT #25880]

+ Corrects a problem validating root DS responses. [RT #25726]

+ Fixes a problem whereby “rndc dumpdb” could cause an assertion
failure and abort by attempting to print an empty rdataset [RT
#25452]

+ Improves scalability by allocating one zone task per 100 zones
at startup time. [RT #25541]

+ Fixes a problem with the computation of tags for revoked keys.
[RT #26186]

+ ‘dig -y’ would crash when passed an unknown TSIG algorithm. dig
now handles unknown TSIG algorithms more gracefully. [RT #25522]

+ Servers that received negative responses from a forwarder were
failing to cache the answers correctly, resulting in multiple
queries for the same non-existent name being sent to the
forwarders instead of answers being provided to clients from
cache (until TTL expiry). [RT #25380]

+ named would log warnings that empty zones may fail to transfer
to slaves due to serial number 0. These spurious errors have
now been silenced. [RT #25079]

+ corrected memory leaks and out of order operations that could
cause named to crash during a normal shutdown. [RT #25210]

+ Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
list of empty zones. [RT #24990]

+ Corrected a bug which could cause a slave server with
“allow-update-forwarding” set to become unresponsive if the
master it is trying to reach is off-line or unreachable. [RT
#24711]

+ If allow-new-zones was set to yes and ACLs were given names,
issuing ‘rndc reconfig’ could cause named to crash. [RT #22739]

+ Socket errors during during recursion were sometimes not handled
correctly which could lead to a named assert when an associated
query structure was used after it had already been freed [RT
#22208]

+ The logging level for DNSSEC validation failures due to expired
or not-yet-valid RRSIGs has been increased to log level “info”
to make it easier to diagnose these problems. Examples of the
new log messages are given below:

03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
pastdate-A.test.dnssec-tools.org A: verify failed due to bad
signature (keyid=19442): RRSIG has expired

03-Nov-2011 22:41:31.335 validating @0x12b5d80:
futuredate-A.test.dnssec-tools.org A: verify failed due to
bad signature (keyid=19442): RRSIG validity period has not
begun

[RT #21796]

+ This change can reduce the time when a server is unavailable
during “rndc reconfig” for servers with large and complex
configurations. This is achieved by completing the parsing of
the configuration files in entirety before entering the exclusive
phase. (Note that it does not reduce the total time spent in
“rndc reconfig”, and it has no measurable impact on server
initial start-up times.) [RT #21373]

+ Direct queries for type RRSIG or SIG (sometimes used while
testing) could be handled incorrectly in the case where there
is no answer available. [RT #21050]

+ dnssec-signzone -t now records timestamps just before and just
after signing, improving the accuracy of signing statistics.
[RT #16030]

Thank You

Thank you to everyone who assisted us in making this release
possible. If you would like to contribute to ISC to assist us in
continuing to make quality open source software, please visit our
donations page at http://www.isc.org/supportisc.

(c) 2001-2012, Internet Systems Consortium
_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-announce