Introduction

   BIND 9.9.0 is the first production release of BIND 9.9.

   This document summarizes changes from BIND 9.8 to BIND 9.9.
   Please see the CHANGES file in the source code release for a
   complete list of all changes.

Download

   The latest versions of BIND 9 software can always be found
   on our web site at http://www.isc.org/downloads/all. There
   you will find additional information about each release,
   source code, and pre-compiled versions for Microsoft Windows
   operating systems.

Support

   Product support information is available on
   http://www.isc.org/services/support for paid support options.
   Free support is provided by our user community via a mailing
   list. Information on all public email lists is available at
   https://lists.isc.org/mailman/listinfo.

New Features

   The new "inline-signing" option, in combination with the
   "auto-dnssec" option that was introduced in BIND 9.7, allows
   named to sign zones completely transparently.  Previously
   automatic zone signing only worked on master zones that were
   configured to be dynamic; now, it works on any master or slave
   zone. In a master zone with inline signing, the zone is loaded
   from disk as usual, and a second copy of the zone is created
   to hold the signed version.  The original zone file is not
   touched; all comments remain intact.  When you edit the zone
   file and reload, named detects the incremental changes that
   have been made to the raw version of the zone, and applies
   those changes to the signed version, adding signatures as
   needed. A slave zone with inline signing works similarly,
   except that instead of loading the zone from disk and then
   signing it, the slave transfers the zone from a master server
   and then signs it.  This enables "bump in the wire" signing:
   a dedicated signing server acting as an intermediary between
   a hidden master server (which provides the raw zone data) and
   a set of publicly accessible slave servers (which only serve
   the signed data). [RT #26224/23657]

   NXDOMAIN redirection is now possible. This enables a resolver
   to respond to a client with locally-configured information
   when a query would otherwise have gotten an answer of "no
   such domain". This allows a recursive nameserver to provide
   alternate suggestions for misspelled domain names.  Note that
   names that are in DNSSEC-signed domains are exempted from
   this when validation is in use. [RT #23146]

   "rndc flushtree <name>" command removes the specified name
   and all names under it from the cache. [RT #19970]

   "rndc sync" command dumps pending changes in a dynamic zone
   to disk without a freeze/thaw cycle. "rndc sync -clean" removes
   the journal file after syncing. "rndc freeze" no longer removes
   journal files. [RT #22473]

   The new "rndc signing" command provides greater visibility
   and control of the automatic DNSSEC signing process.  Options
   to this new command include "-list <zone>" which will show
   the current state of signing operations overall or per specified
   zone. [RT #23729]

   "auto-dnssec" zones can now have NSEC3 parameters set prior
   to signing. [RT #23684]

   Improves the startup time for an authoritative server with a
   large number of zones by making the zone task table of variable
   size rather than fixed size.  This means that authoritative
   servers with many zones will be serving that zone data much
   sooner. [RT #24406]

   Improves scalability by using multiple threads to listen for
   and process queries. Previously named only listened for queries
   on one thread regardless of the number of overall threads
   used. [RT #22992]

   Improves startup and reconfiguration time by allowing zones
   to load in multiple threads.  [RT #25333]

   Improves initial start-up and server reload time by increasing
   the default size of the hash table the configuration parser
   uses to keep track of loaded zones and allowing it to grow
   dynamically to better handle systems with large numbers of
   zones.  [RT #26523]

   The "also-notify" option now takes the same syntax as "masters",
   thus it can use named master lists and TSIG keys. [RT #23508]

   The "dnssec-signzone -D" option causes dnssec-signzone to
   write DNSSEC data to a separate output file. This allows you
   to put "$INCLUDE example.com.signed" into the zonefile for
   example.com, run "dnssec-signzone -SD example.com", and the
   result is a fully signed zone which did *not* overwrite your
   original zone file. Running the same command again will
   incrementally re-sign the zone, replacing only those signatures
   that need updating, rather than signing the entire zone from
   scratch. [RT #22896]

   "dnssec-signzone -R" forces removal of signatures that are
   not expired but were created by a key which no longer exists.
   [RT #22471]

   "dnssec-signzone -X" option allows signatures on DNSKEY records
   to have a different expiration date from other signatures.
   This makes it more convenient to keep your KSK on a separate
   system, and resign the zone with it less frequently. [RT
   #22141]

   "-L" option to dnssec-keygen, dnssec-settime, and dnssec-keyfromlabel
   sets the default TTL for the key when it is converted into a
   DNSKEY RR. [RT #23304]

   "dnssec-dsfromkey -f -" allows for reading keys from standard
   input, making it easier to convert DNSKEY records to DS.
   Example usage:  "dig +noall +answer dnskey example.com |
   dnssec-dsfromkey -f - example.com" [RT #20662]

   The 'serial-update-method' option allows dynamic zones to
   have their SOA serial number set to the current UNIX time if
   desired, rather than simply incrementing the serial number
   with each change to the zone. [RT #23849]

   Per RFC 6303, RFC 1918 reverse zones are now part of the
   built-in list of empty zones. [RT #24990]

   Added support for Uniform Resource Identifier (URI) resource
   records [RT #23386]

   Client requests using TSIG now log the name of the TSIG key
   used. [RT #23619]

   Add a 'named -U' option to set the number of UDP listener
   threads per interface. [RT #26485]

   dnssec-signzone: "-f -" prints to stdout; "-O full" option
   prints in single-line-per-record format.  [RT #20287]

   Add a configuration switch "dnssec-lookaside 'no'" to set
   explicitly the current default behavior.  [RT #24858]

   'rndc querylog' can now be given an on/off parameter instead
   of only being used as a toggle. [RT #18351]

   When the server logs messages about the state of recursive
   client processing, it will include the name the client had
   requested in the log messages, to make it easier to identify
   problems when they occur. Such log messages will now look
   similar to this one: 03-Nov-2011 14:14:44.981 client
   10.53.0.7#49775 (www.example.com): send

   Several RPZ feature improvements have been made.  Highlights
   are a new "rpz" logging channel and RPZ CNAME RDATA can now
   include wildcards.  [RT #25172]

   Enables DLZ modules to retrieve client information so that
   responses can be changed depending on the source address of
   the query.  For more information see contrib/dlz/example/README.
   (Note that this change will be of limited interest to most
   BIND users - it is intended for developers who are working
   with DLZ) [RT #25768/26215]

Feature Changes

   Local copies of slave zones are now saved in raw format by
   default to improve startup performance.  The option
   'masterfile-format text;' can be used to override the default
   if desired. [RT #25867]

   BIND 9.9 changes the default storage format for slave zone
   files from text to raw.  Because named's behavior when a slave
   server cannot read or parse a zone file is to move the offending
   file out of the way and retransfer the zone, slave servers
   that are updated from a pre-9.9.0 version of BIND and which
   have existing copies of slave zone data may wind up with
   extraneous copies of zone data stored, as the existing
   text-format zone file copies will be moved aside to filenames
   of the format db-###### and journal files to the format
   jn-######  (where # represents a hexadecimal digit.)  [RT
   #27058]

   When replacing an NS RRset, BIND now restricts the TTL of the
   new NS RRset to no more than that of the NS RRset it replaces.
   [RT #27792]

   The "improves scalability by using multiple threads to listen
   for and process queries" change introduced in prior 9.9 releases
   via RT #22992 does not work on Windows. This feature has now
   been disabled on Windows builds. [RT #27696]

   Darwin 11 and later are now built threaded by default.

   RRset ordering now defaults to random. [RT #27174]

   dig has been modified to produce more human readable and
   parsable DNSSEC data output. DNSKEY record comments are more
   verbose and no longer used in multiline mode only, multiline
   RRSIG records are now reformatted, multiline output mode for
   NSEC3PARAM records is now supported. New related options in
   dig are "+nocomments" to suppress DNSKEY comments, "+split=X"
   will break hex/base64 records into fields of width X, and
   "+nosplit" causes RDATA fields to not be split at all. [RT
   #22820]

   dig now defaults to using options "+adflag" and "+edns=0"
   which better reflect the behaviour of BIND and many other
   modern nameservers when recursing.   Additionally "+dnssec"
   will be automatically enabled when running "dig +trace". [RT
   #23497]

   RFC 1918 empty zones will now be configured automatically.
   Named will attempt to determine if an RFC 1918 zone already
   exists or is active and will not create an empty zone in that
   case.  In prior versions, these were switched on with the
   empty-zones-enable option.  [RT #27139]

   Extends the header of raw-format master files to include the
   serial number of the zone from which they were generated, if
   different (as in the case of inline-signing zones). This is
   needed by change #3252 to track changes between the unsigned
   and signed versions of the zone, which may have different
   serial numbers if zone files are updated when the server is
   offline.  Note that this change means that raw zonefiles
   generated by this version of  BIND are no longer compatble
   with prior versions.   To generate a backward-compatible raw
   zonefile using dnssec-signzone or named-compilezone, specify
   output format "raw=0" instead of simply "raw".  [RT #26587]

   Option request-ixfr can now be specified at zone level.  Using
   option ixfr-from-differences on a slave server no longer
   causes it to default to requesting AXFR-style transfers.
   (This change was added as part of the implementation of
   inline-signing)   [RT #25156]

   --enable-developer, a new composite argument to the configure
   script, enables a set of build options normally disabled but
   frequently selected in test or development builds, specifically:
   enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip,
   enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and
   Darwin, also enable_exportlib) [RT #27103]

   named-compilezone now longer emits "dump zone to <file>"
   message when writing to stdout.  [RT #27109]

   Support for readline has been added to nslookup and nsupdate
   - see ./configure for options at build time.  In addition,
   the syntax of nslookup has been streamlined by making "update"
   and "prereq" optional [RT #24659]

   The logging level for DNSSEC validation failures due to expired
   or not-yet-valid RRSIGs has been increased to log level "info"
   to make it easier to diagnose these problems.  Examples of
   the new log messages are given below:

      03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0:
      pastdate-A.test.dnssec-tools.org A: verify failed due to
      bad signature (keyid=19442): RRSIG has expired

      03-Nov-2011 22:41:31.335 validating @0x12b5d80:
      futuredate-A.test.dnssec-tools.org A: verify failed due to
      bad signature (keyid=19442): RRSIG validity period has not
      begun

   [RT #21796]

   When logging messages about the state of  recursive client
   processing, named now includes in its log entries the name
   the client requested to make troubleshooting easier. [RT
   #25944]

   This change can reduce the time when a server is unavailable
   during "rndc reconfig" for servers with large and complex
   configurations.  This is achieved by completing the parsing
   of the configuration files in entirety before entering the
   exclusive phase.  (Note that it does not reduce the total
   time spent in "rndc reconfig", and it has no measurable impact
   on server initial start-up times.) [RT  #21373]

Bug Fixes

   The managed key maintenance timer could fail to restart after
   'rndc reconfig' resulting in managed keys not being properly
   added to managed-keys.bind [RT #27686]

   The dlz_destroy() function wasn't correctly registered by the
   DLZ dlopen driver. [RT #28056]

   Corrects an INSIST failure by addressing race conditions in
   the handling of rbtnode.deadlink. [RT #27738]

   Raw zones with with more than 512 records in a RRset failed
   to load. [RT #27863]

   SOA refresh queries could be treated as cancelled despite
   succeeding over the loopback interface. [RT #27782]

   An error handling an out of memory condition could cause a
   stored rdataset to be freed twice using DNS64. [RT #27762]

   Make sure automatic key maintenance is started when "rndc
   reconfig" is issued if "auto-dnssec maintain" is turned on.
   [RT #26805]

   Stabilizes the BIND build in the Mac OS environment by
   addressing problems with mksymtbl and ensuring that it's using
   portable perl.  [RT #27653]

   Corrects a potential overflow problem in the computation of
   RRSIG expiration times. [RT #23311]

   Error reporting has been improved for failures encountered
   when sending or receiving network packets.  In particular
   some memory allocation failures were being logged as "unexpected
   error" - these will now be reported accurately.  A new
   ISC_R_UNSET result code has also been added to cover those
   situations where there is no error code returned by the OS
   sockets implementation.  [RT #27336]

   The maximum number of NSEC3 iterations for a DNSKEY RRset was
   not being properly computed.  [RT #26543]

   RPZ implementation now conforms to version 3 of the specification.
   [RT #27316]

   Some query patterns could cause responses not to be returned
   in cyclic order though "rrset-order cyclic" was set.  [RT
   #27170/27185]

   dnssec-signzone -t now records timestamps just before and
   just after signing, improving the accuracy of signing statistics.
   [RT #16030]

   If allow-new-zones was set to yes and ACLs were given names,
   issuing "rndc reconfig" could cause named to crash. [RT #22739]

   When a validating resolver received a NODATA response for
   DNSKEY, it was not caching the NODATA. Fixed and test added.
   [RT #22908]

   Using Response Policy Zone (RPZ) with DNAME records and
   querying the subdomain of that label could cause named to
   crash; named now logs that DNAME is not supported. [RT #24766]

   If "ixfr-from-differences" is set to no and a dynamic zone's
   serial number has been changed, "rndc thaw" will now remove
   the zone's journal file. [RT #24687]

   RT #23136 (CHANGES #3114) fixed a problem where named would
   delete old signatures even when the private key wasn't available
   to re-sign the zone, resulting in a zone with missing signatures.
   However, the initial fix was found to be incomplete particularly
   when multiple algorithms may have been used. [RT #24577]

   named would log warnings that empty zones may fail to transfer
   to slaves due to serial number 0. These spurious errors have
   now been silenced. [RT #25079]

   Corrected memory leaks and out of order operations that could
   cause named to crash during a normal shutdown. [RT #25210]

   dns_db_rpz_findips() could fail to set the database version
   correctly, causing an assertion failure. [RT #26180]

   resolver.c:validated() was not thread-safe. [RT #26478]

   Correct a situation in rbtdb.c: where failure to remove a
   node from the deadnodes list prior to adding a reference to
   it could lead to a possible assertion failure. [RT #23219]

   Canceling the oldest query due to recursive-client overload
   could trigger an assertion failure. [RT #26463]

   NOEDNS caching on timeout was too agressive.  [RT #26416]

   Clarify the error message reported when the config parser
   cannot open a file.  [RT #22263]

   A query structure could be used after being freed. [RT #22208]

   zone.c:zone_refreshkeys() could fail to detach references
   correctly when errors occurred, causing a hang on shutdown.
   [RT #26372]

   Sets isc_socket_ipv6only() on the IPv6 control channels.  This
   addresses IPv6 socket binding problems that can occur in some
   configurations when bindv6only=1 is set globally.   [RT #22249]

   named now reports a syntax error when a TXT record longer
   than 255 characters is configured.  [RT #26956]

   Master zones using inline-signing can now be updated when the
   server is offline without losing sychronization between signed
   and un-signed zones.  This has been achieved via change #3242
   which extends the raw-format master file header to include
   the serial number of the zone from which the signed zone was
   generated.  [RT #26676]

   In 9.9, the "also-notify" option uses the same syntax as
   "masters" allowing it to make use of master lists and TSIG
   keys.  This release corrects a bug in the alpha and beta
   releases of 9.9 that would prevent named from starting if an
   empty "also-notify" list was used. [RT #27087]

   Suppresses spurious errors that could be generated when
   freezing and thawing a dynamic zone with uncommitted updates
   and ixfr-from-differences set.  named no longer reports
   'unchanged serials' unless there were other changes found
   when thawing the zone.  [RT #26845]

   Addresses race conditions in the resolver code that can cause
   named to abort.   [RT #26889]

   Prevents DNSKEY state change events from being missed by
   ensuring that the timestamps used to determine which keys are
   in use are set appropriately.  [RT #26874]

   When processing a list of keys, named now consistently compares
   them with the same timestamp. [RT #26883]

   Fixes a bug that could cause named to crash while loading a
   zone with invalid DNSKEY records.  [RT #26913]

   Prevents  dig -6 +trace from terminating with an error when
   encountering a root nameserver without an AAAA record. RT
   #26906]

   An unusual corner-case buffer handling issue in zone transfers
   is corrected.  The symptom was that zones that contain record
   types that do not compress when converted to wire format could
   fail to transfer.  [RT #26796]

   Addresses a selection of minor resource leaks that were
   identified via code checking tools but which have not been
   reported from any production environments.  [RT #26624]

   The performance enhancement to add multiple listener threads
   could cause spurious "setsockopt(517, IPV6_V6ONLY) failed"
   messages to be emitted. These messages are now suppressed.
   [RT #26507]

   rndc argument parsing has been improved to prevent unexpected
   results including named crashes if "rndc signing" is used
   with incorrect or missing arguments.  [RT #26684]

   Prevents intermittent coredumps on shutdown due to referencing
   fetch context after it's been freed.  [RT #26720]

   Servers that received negative responses from a forwarder
   were failing to cache the answers correctly, resulting in
   multiple queries for the same non-existent name being sent
   to the forwarders instead of answers being provided to clients
   from cache (until TTL expiry).   [RT #25380]

   Fixes a problem whereby "rndc dumpdb" could cause an assertion
   failure and abort by attempting to print an empty rdataset.
   [RT #25452]

   Corrects a problem validating root DS responses. [RT #25726]

   Fixes a bug in zone.c where failure to delete signatures could
   lead to an assertion failure and subsequent abort.  [RT #25880]

   Master servers that had previously been marked as unreachable
   because of failed zone transfer attempts will now be removed
   from the "unreachable" list (i.e. considered reachable again)
   if the slave receives a NOTIFY message from them. [RT #25960]

   The management of named's recursive client lists has been
   reworked to reduce performance bottlenecks due to lock
   contention in this area (which particularly impacted busy
   servers with large numbers of threads).  [RT #26044]

   Fixes a problem with the computation of tags for revoked keys.
   [RT #26186]

   named now correctly validates DNSSEC positive wildcard responses
   from NSEC3 signed zones. [RT #26200]

   Some query patterns could cause responses not to be returned
   in cyclic order though "rrset-order cyclic" was set.  [RT
   #27170/27185]

Thank You

   Thank you to everyone who assisted us in making this release
   possible. If you would like to contribute to ISC to assist
   us in continuing to make quality open source software, please
   visit our donations page at http://www.isc.org/supportisc.

(c) 2001-2012 Internet Systems Consortium