BIND 9.7.0 is now available.
Overview:
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
Known issues in this release:
- A validating resolver that has been incorrectly configured with
an invalid trust anchor will be unable to resolve names covered
by that trust anchor. In all current versions of BIND 9, such a
resolver will also generate significant unnecessary DNS traffic
while trying to validate. The latter problem will be addressed
in future BIND 9 releases. In the meantime, to avoid these
problems, exercise caution when configuring "trusted-keys": make
sure all keys are correct and current when you add them, and
update your configuration in a timely manner when keys roll over.
- In rare cases, DNSSEC validation can leak memory. When this
happens, it will cause an assertion failure when named exits,
but is otherwise harmless. A fix exists, but was too late for
this release; it will be included in BIND 9.7.1.
Compatibility notes:
- If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
you should ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7 implements
those features in a way which is not backwards compatible.
- Prior releases had a bug which caused HMAC-SHA* keys with long
secrets to be used incorrectly. Fixing this bug means that older
versions of BIND 9 may fail to interoperate with this version
when using TSIG keys. If this occurs, the new "isc-hmac-fixup"
tool will convert a key with a long secret into a form that works
correctly with all versions of BIND 9. See the "isc-hmac-fixup"
man page for additional details.
- Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
It is possible for the new key ID to collide with that of a
different key. Newly generated keys will not have this problem,
as "dnssec-keygen" looks for potential collisions before
generating keys, but exercise caution if using key revokation
with keys that were generated by older versions of BIND 9. See
the Administrator's Reference Manual, section 4.10 ("Dynamic
Trust Anchor Management") for more details.
- A bug was fixed in which a key's scheduled inactivity date was
stored incorectly. Users who participated in the 9.7.0 BETA test
and had DNSSEC keys with scheduled inactivity dates will need to
reset those keys' dates using "dnssec-settime -I".
BIND 9.7.0 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz
The PGP signature of the distribution is at:
ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/bind-9.7.0.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip
The PGP signature of the binary kit is at:
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0/BIND9.7.0.debug.zip.sha256.asc
