Release Notes
Contents
Introduction
BIND 9.19 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.20 release, this document will be updated with additional features added and bugs fixed. Please see the CHANGES file for a more detailed list of changes and bug fixes.
Supported Platforms
See the Supported Platforms section in the Resource Requirements chapter.
Download
The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.
Known Issues
Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may require a manual configuration change. The following configurations are affected:
type primary
zones configured withdnssec-policy
but without eitherallow-update
orupdate-policy
,type secondary
zones configured withdnssec-policy
.
In these cases please add
inline-signing yes;
to the individual zone configuration(s). Without applying this change,named
will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signingAccording to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]
Notes for BIND 9.19.9
Security Fixes
An UPDATE message flood could cause
named
to exhaust all available memory. This flaw was addressed by adding a newupdate-quota
option that controls the maximum number of outstanding DNS UPDATE messages thatnamed
can hold in a queue at any given time (default: 100). (CVE-2022-3094)ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. [GL #3523]
named
could crash with an assertion failure when an RRSIG query was received andstale-answer-client-timeout
was set to a non-zero value. This has been fixed. (CVE-2022-3736)ISC would like to thank Borja Marcos from Sarenet (with assistance by Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to our attention. [GL #3622]
named
running as a resolver with thestale-answer-client-timeout
option set to any value greater than0
could crash with an assertion failure, when therecursive-clients
soft quota was reached. This has been fixed. (CVE-2022-3924)ISC would like to thank Maksym Odinintsev from AWS for bringing this vulnerability to our attention. [GL #3619]
New Features
The new
update-quota
option can be used to control the number of simultaneous DNS UPDATE messages that can be processed to update an authoritative zone on a primary server, or forwarded to the primary server by a secondary server. The default is 100. A new statistics counter has also been added to record events when this quota is exceeded, and the version numbers for the XML and JSON statistics schemas have been updated. [GL #3523]
Removed Features
The statements setting alternate local addresses for inbound zone transfers (
alt-transfer-source
,alt-transfer-source-v6
, anduse-alt-transfer-source
) have been removed. [GL #3714]The Differentiated Services Code Point (DSCP) feature in BIND has been non-operational since the new Network Manager was introduced in BIND 9.16. It is now marked as obsolete, and vestigial code implementing it has been removed. Configuring DSCP values in
named.conf
now causes a warning to be logged. [GL #3773]
Feature Changes
A new way of configuring the preferred source address when talking to remote servers, such as
primaries
andparental-agents
, has been added: setting thesource
and/orsource-v6
arguments for a given statement is now possible. This new approach is intended to eventually replace statements such asparental-source
,parental-source-v6
,transfer-source
, etc. [GL #3762]The code for DNS over TCP and DNS over TLS transports has been replaced with a new, unified transport implementation. [GL #3374]
Bug Fixes
A rare assertion failure was fixed in outgoing TCP DNS connection handling. [GL #3178] [GL #3636]
In addition to a previously fixed bug, another similar issue was discovered where quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3752]
In certain query resolution scenarios (e.g. when following CNAME records),
named
configured to answer from stale cache could return a SERVFAIL response despite a usable, non-stale answer being present in the cache. This has been fixed. [GL #3678]When an outgoing request timed out,
named
would retry up to three times with the same server instead of trying the next available name server. This has been fixed. [GL #3637]Recently used ADB names and ADB entries (IP addresses) could get cleaned when ADB was under memory pressure. To mitigate this, only actual ADB names and ADB entries are now counted (excluding internal memory structures used for “housekeeping”) and recently used (<= 10 seconds) ADB names and entries are excluded from the overmem memory cleaner. [GL #3739]
The “Prohibited” Extended DNS Error was inadvertently set in some NOERROR responses. This has been fixed. [GL #3743]
Previously, TLS session resumption could have led to handshake failures when client certificates were used for authentication (Mutual TLS). This has been fixed. [GL #3725]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.8
Removed Features
The
coresize
,datasize
,files
, andstacksize
options have been removed. The limits these options set should be enforced externally, either by manual configuration (e.g. usingulimit
) or via the process supervisor (e.g.systemd
). [GL #3676]Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no longer trigger key rollovers and denial-of-existence operations. This also means that the
dnssec-secure-to-insecure
option has been obsoleted. [GL #3686]
Feature Changes
The TTL of the NSEC3PARAM record for every NSEC3-signed zone was previously set to 0. It is now changed to match the SOA MINIMUM value for the given zone. [GL #3570]
The
--with-tuning
option forconfigure
has been removed. Each of the compile-time settings that required different values based on the “workload” (which were previously affected by the value of the--with-tuning
option) has either been removed or changed to a sensible default. [GL #3664]The
auto-dnssec
option has been deprecated and will be removed in a future BIND 9.19.x release. Please migrate todnssec-policy
. [GL #3667]Setting alternate local addresses for inbound zone transfers has been deprecated. The relevant options (
alt-transfer-source
,alt-transfer-source-v6
, anduse-alt-transfer-source
) will be removed in a future BIND 9.19.x release. [GL #3694]On startup,
named
now sets the limit on the number of open files to the maximum allowed by the operating system, instead of trying to set it to “unlimited”. [GL #3676]The number of HTTP headers allowed in requests sent to
named
’s statistics channel has been increased from 10 to 100, to accommodate some browsers that send more than 10 headers by default. [GL #3670]
Bug Fixes
named
could crash due to an assertion failure when an HTTP connection to the statistics channel was closed prematurely (due to a connection error, shutdown, etc.). This has been fixed. [GL #3693]When a catalog zone was removed from the configuration, in some cases a dangling pointer could cause the
named
process to crash. This has been fixed. [GL #3683]When a zone was deleted from a server, a key management object related to that zone was inadvertently kept in memory and only released upon shutdown. This could lead to constantly increasing memory use on servers with a high rate of changes affecting the set of zones being served. This has been fixed. [GL #3727]
TLS configuration for primary servers was not applied for zones that were members of a catalog zone. This has been fixed. [GL #3638]
In certain cases,
named
waited for the resolution of outstanding recursive queries to finish before shutting down. This was unintended and has been fixed. [GL #3183]host
andnslookup
command-line options setting the custom TCP/UDP port to use were ignored for ANY queries (which are sent over TCP). This has been fixed. [GL #3721]The new name compression code in BIND 9.19.7 was not compressing names in zone transfers that should have been compressed, so zone transfers were larger than before. This has been fixed. [GL #3706]
The
zone <name>/<class>: final reference detached
log message was moved from the INFO log level to the DEBUG(1) log level to prevent thenamed-checkzone
tool from superfluously logging this message in non-debug mode. [GL #3707]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.7
New Features
The
check-svcb
option has been added to control the checking of additional constraints on SVCB records. This change affectsnamed
,named-checkconf
,named-checkzone
,named-compilezone
, andnsupdate
. [GL #3576]
Feature Changes
On Linux, libcap is now a required dependency to help
named
keep needed privileges. [GL #3583]The DNS name compression algorithm used in BIND 9 has been revised: it now compresses more thoroughly than before, so responses containing names with many labels might have a smaller encoding than before. [GL #3661]
Bug Fixes
A crash was fixed that happened when a
dnssec-policy
zone that used NSEC3 was reconfigured to enableinline-signing
. [GL #3591]In certain resolution scenarios, quotas could be erroneously reached for servers, including any configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. [GL #3598]
rpz-ip
rules inresponse-policy
zones could be ineffective in some cases if a query had the CD (Checking Disabled) bit set to 1. This has been fixed. [GL #3247]Previously, if Internet connectivity issues were experienced during the initial startup of
named
, a BIND resolver withdnssec-validation
set toauto
could enter into a state where it would not recover without stoppingnamed
, manually deleting themanaged-keys.bind
andmanaged-keys.bind.jnl
files, and startingnamed
again. This has been fixed. [GL #2895]Previously, the port in remote servers such as in
primaries
andparental-agents
could be wrongly configured because of an inheritance bug. This has been fixed. [GL #3627]Previously, BIND failed to start on Solaris-based systems with hundreds of CPUs. This has been fixed. [GL #3563]
When a DNS resource record’s TTL value was equal to the resolver’s configured
prefetch
“eligibility” value, the record was erroneously not treated as eligible for prefetching. This has been fixed. [GL #3603]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.6
Known Issues
Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may require a manual configuration change. The following configurations are affected:
type primary
zones configured withdnssec-policy
but without eitherallow-update
orupdate-policy
,type secondary
zones configured withdnssec-policy
.
In these cases please add
inline-signing yes;
to the individual zone configuration(s). Without applying this change,named
will fail to start. For more details, see https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signingSee above for a list of all known issues affecting this BIND 9 branch.
New Features
Support for parsing and validating the
dohpath
service parameter in SVCB records was added. [GL #3544]named
now supports forwarding Dynamic DNS updates through DNS-over-TLS (DoT). [GL #3512]The
nsupdate
tool now supports DNS-over-TLS (DoT). [GL #1781]named
now logs the supported cryptographic algorithms during startup and in the output ofnamed -V
. [GL #3541]A new configuration option
require-cookie
has been introduced. It specifies whether there should be a DNS COOKIE in the response for a given prefix; if not,named
falls back to TCP. This is useful if it is known that a given server supports DNS COOKIE. It can also be used to force all non-DNS COOKIE responses to fall back to TCP. [GL #2295]Support for libsystemd’s
sd_notify()
function was added, enablingnamed
to report its status to the init system. This allows systemd to wait untilnamed
is fully ready before starting other services that depend on name resolution. [GL #1176]The
recursion not available
andquery (cache) '...' denied
log messages were extended to include the name of the ACL that caused a given query to be denied. [GL #3587]
Feature Changes
When an international domain name is not valid according to IDNA2008,
dig
now tries to convert it according to IDNA2003 rules, or pass it through unchanged, instead of stopping with an error message. Theidna2
utility can be used to check IDNA syntax. [GL #3527]The DNSSEC signing data included in zone statistics identified keys only by the key ID; this caused confusion when two keys using different algorithms had the same ID. Zone statistics now identify keys using the algorithm number, followed by “+”, followed by the key ID: for example,
8+54274
. [GL #3525]The ability to use PKCS#11 via engine_pkcs11 has been restored, by using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be compiled with
-DOPENSSL_API_COMPAT=10100
specified in the CFLAGS environment variable at compile time. [GL #3578]Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. libuv should be available on all supported platforms either as a native package or as a backport. [GL #3567]
Bug Fixes
An assertion failure was fixed in
named
that was caused by aborting the statistics channel connection while sending statistics data to the client. [GL #3542]named
could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. This has been fixed. [GL #1967]Changing just the TSIG key names for primaries in catalog zones’ member zones was not effective. This has been fixed. [GL #3557]
Notes for BIND 9.19.5
Security Fixes
Previously, there was no limit to the number of database lookups performed while processing large delegations, which could be abused to severely impact the performance of
named
running as a recursive resolver. This has been fixed. (CVE-2022-2795)ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention. [GL #3394]
When an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer. This has been fixed. (CVE-2022-2881) [GL #3493]
Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that could be externally triggered, when using TKEY records in DH mode with OpenSSL 3.0.0 and later versions. (CVE-2022-2906) [GL #3491]
named
running as a resolver with thestale-answer-client-timeout
option set to0
could crash with an assertion failure, when there was a stale CNAME in the cache for the incoming query. This has been fixed. (CVE-2022-3080) [GL #3517]Memory leaks were fixed that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL #3487]
New Features
A new Response Policy Zone (RPZ) option,
ede
, was added. It enables an RFC 8914 Extended DNS Error (EDE) code of choice to be set for responses which have been modified by a given RPZ. [GL #3410]Worker threads’ event loops are now managed by a new “loop manager” API, significantly changing the architecture of the task, timer, and networking subsystems for improved performance and code flow. [GL #3508]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are subject to wildcard processing within a given zone as the same name, to prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using
dnssec-policy
now require dynamic DNS orinline-signing
to be configured explicitly. [GL #3381]When reconfiguring
dnssec-policy
from using NSEC with an NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3, BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC until the offending DNSKEY records have been removed from the zone, then switches to using NSEC3. [GL #3486]A backward-compatible approach was implemented for encoding internationalized domain names (IDN) in
dig
and converting the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL #3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data from cache for lookups that received duplicate queries or queries that would be dropped. This bug resulted in premature SERVFAIL responses, and has now been resolved. [GL #2982]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.4
Removed Features
The use of the
max-zone-ttl
option inoptions
andzone
blocks has been deprecated; it should now be configured as part ofdnssec-policy
. A warning is logged if this option is used inoptions
orzone
blocks. In a future release, it will become nonoperational. [GL #2918]
Feature Changes
The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9). Primary zones using those algorithms need to be migrated to new algorithms prior to running on these systems, as graceful migration to different DNSSEC algorithms is not possible when RSASHA1 is disallowed by the operating system. [GL #3469]
Log messages related to fetch limiting have been improved to provide more complete information. Specifically, the final counts of allowed and spilled fetches are now logged before the counter object is destroyed. [GL #3461]
Bug Fixes
When running as a validating resolver forwarding all queries to another resolver,
named
could crash with an assertion failure. These crashes occurred when the configured forwarder sent a broken DS response andnamed
failed its attempts to find a proper one instead. This has been fixed. [GL #3439]DNS compression is no longer applied to the root name (
.
) if it is repeatedly used in the same RRset. [GL #3423]Non-dynamic zones that inherit
dnssec-policy
from theview
oroptions
blocks were not marked as inline-signed and therefore never scheduled to be re-signed. This has been fixed. [GL #3438]rndc dumpdb -expired
was fixed to include expired RRsets, even ifstale-cache-enable
is set tono
and the cache-cleaning time window has passed. [GL #3462]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.3
New Features
A new command,
rndc fetchlimit
, prints a list of name server addresses that are currently rate-limited due tofetches-per-server
and domain names that are rate-limited due tofetches-per-zone
. [GL #665]
Removed Features
The
glue-cache
option has been removed. The glue cache feature still works and is now permanently enabled. [GL #2147]
Feature Changes
To reduce unnecessary memory consumption in the cache, NXDOMAIN records are no longer retained past the normal negative cache TTL, even if
stale-cache-enable
is set toyes
. [GL #3386]The
dnssec-signzone -H
default value has been changed to 0 additional NSEC3 iterations. This change aligns thednssec-signzone
default with the default used by thednssec-policy
feature. At the same time, documentation about NSEC3 has been aligned with the Best Current Practice. [GL #3395]
Bug Fixes
An assertion failure caused by a TCP connection closing between a connect (or accept) and a read from a socket has been fixed. [GL #3400]
When grafting non-delegated namespace onto delegated namespace,
synth-from-dnssec
could incorrectly synthesize non-existence of records within the non-delegated namespace using NSEC records from higher zones. [GL #3402]Previously,
named
immediately returned a SERVFAIL response to the client when it received a FORMERR response from an authoritative server during recursive resolution. This has been fixed:named
acting as a resolver now attempts to contact other authoritative servers for a given domain when it receives a FORMERR response from one of them. [GL #3152]Previously,
rndc reconfig
did not pick up changes toendpoints
statements inhttp
blocks. This has been fixed. [GL #3415]It was possible for a catalog zone consumer to process a catalog zone member zone when there was a configured pre-existing forward-only forward zone with the same name. This has been fixed. [GL #2506]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.2
Feature Changes
New
dnssec-policy
configuration checks have been added to detect unusual policies, such as missing KSK and/or ZSK and too-short key lifetimes and re-sign periods. [GL #1611]
Bug Fixes
The
fetches-per-server
quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]
Key files were updated every time the
dnssec-policy
key manager ran, whether the metadata had changed or not.named
now checks whether changes were applied before writing out the key files. [GL #3302]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.1
Security Fixes
Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in
named
instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]
New Features
Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by
named
. All of the previously supported BIND-specific catalog zone custom properties (primaries
,allow-query
, andallow-transfer
), as well as the new Change of Ownership (coo
) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, theversion
property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]Support DNS Extended Errors (RFC 8914)
Stale Answer
andStale NXDOMAIN Answer
when stale answers are returned from cache. [GL #2267]The Object Identifier (OID) embedded at the start of a PRIVATEOID public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. The Object Identifier is now printed when the
dig +rrcomments
option is used. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3234]The Object Identifier (OID) embedded at the start of a PRIVATEOID signature in a SIG, or RRSIG resource records is now checked to ensure that it is valid when reading from zone files or receiving data on the wire. Similarly, the name embedded at the start of a PRIVATEDNS public key is also checked for validity. [GL #3296]
Bug Fixes
Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the
auto-dnssec maintain;
option. This has been fixed. [GL #2931]
Known Issues
There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.
Notes for BIND 9.19.0
Known Issues
According to RFC 8310, Section 8.1, the
Subject
field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. OnlysubjectAltName
must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore theSubject
field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will havesubjectAltName
set. In such cases, theSubject
field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]See above for a list of all known issues affecting this BIND 9 branch.
New Features
Add support for remote TLS certificate verification, both to
named
anddig
, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]dnssec-verify
anddnssec-signzone
now accept a-J
option to specify a journal file to read when loading the zone to be verified or signed. [GL #2486]
Removed Features
The
keep-response-order
option has been declared obsolete and the functionality has been removed.named
expects DNS clients to be fully compliant with RFC 7766. [GL #3140]
Feature Changes
Run RPZ updates on the specialized “offload” threads to reduce the amount of time they block query processing on the main networking threads. This should increase the responsiveness of
named
when RPZ updates are being applied after an RPZ zone has been successfully transferred. [GL #3190]The catalog zone implementation has been optimized to work with hundreds of thousands of member zones. [GL #3212] [GL #3744]
License
BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the COPYING
file for the full text).
Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.
End of Life
BIND 9.19 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.20, which will be a stable branch. The end-of-life date for BIND 9.20 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.16, which will be supported until at least December 2023. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.
Thank You
Thank you to everyone who assisted us in making this release possible.