Introduction
ISC BIND 9.8.1 is now available.
This release includes startup-performance improvements described
in http://www.isc.org/files/imce/startup-performance.pdf.
BIND 9.8.1b3 is the third beta release of BIND 9.8.
This document summarizes changes from BIND 9.8.0 to BIND 9.8.1b3.
Please see the CHANGES file in the source code release for a complete
list of all changes.
Download
The latest versions of BIND 9 software can always be found on our web
site at http://www.isc.org/downloads/all. There you will find
additional information about each release, source code, and some
pre-compiled versions for certain operating systems.
Support
Product support information is available on
http://www.isc.org/services/support for paid support options. Free
support is provided by our user community via a mailing list.
Information on all public email lists is available at
https://lists.isc.org/mailman/listinfo.
New Features
* Added a new include file with function typedefs for the DLZ
"dlopen" driver. [RT #23629]
* Added a tool able to generate malformed packets to allow testing of
how named handles them. [RT #24096]
Security Fixes
* If named is configured with a response policy zone (RPZ) and a
query of type RRSIG is received for a name configured for RRset
replacement in that RPZ, it will trigger an INSIST and crash the
server. RRSIG. [RT #24280]
* named, set up to be a caching resolver, is vulnerable to a user
querying a domain with very large resource record sets (RRSets)
when trying to negatively cache the response. Due to an off-by-one
error, caching the response could cause named to crash. [RT #24650]
[CVE-2011-1910]
* Using Response Policy Zone (RPZ) to query a wildcard CNAME label
with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
query type independant. [RT #24715]
* Using Response Policy Zone (RPZ) with DNAME records and querying
the subdomain of that label can cause named to crash. Now logs that
DNAME is not supported. [RT #24766]
* Change #2912 populated the message section in replies to UPDATE
requests, which some Windows clients wanted. This exposed a latent
bug that allowed the response message to crash named. With this
fix, change 2912 has been reduced to copy only the zone section to
the reply. A more complete fix for the latent bug will be released
later. [RT #24777]
Feature Changes
* Improved the startup time for an authoritative server with a large
number of zones by making the zone task table of variable size
rather than fixed size. This means that authoritative servers with
lots of zones will be serving that zone data much sooner. [RT
#24406]
* Merged in the NetBSD ATF test framework (currently version 0.12)
for development of future unit tests. Use configure --with-atf to
build ATF internally or configure --with-atf=prefix to use an
external copy. [RT #23209]
* Added more verbose error reporting from DLZ LDAP. [RT #23402]
* The DLZ "dlopen" driver is now built by default, no longer
requiring a configure option. To disable it, use "configure
--without-dlopen". (Note: driver not supported on win32.) [RT
#23467]
* Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
* Make --with-gssapi default for ./configure. [RT #23738]
Bug Fixes
* During RFC5011 processing some journal write errors were not
detected. This could lead to managed-keys changes being committed
but not recorded in the journal files, causing potential
inconsistencies during later processing. [RT #20256]
A potential NULL pointer deference in the DNS64 code could cause
named to terminate unexpectedly. [RT #20256]
A state variable relating to DNSSEC could fail to be set during
some infrequently-executed code paths, allowing it to be used
whilst in an unitialized state during cache updates, with
unpredictable results. [RT #20256]
A potential NULL pointer deference in DNSSEC signing code could
cause named to terminate unexpectedly [RT #20256]
Several cosmetic code changes were made to silence warnings
generated by a static code analysis tool. [RT #20256]
* When using the -x (sign with only KSK) option on dnssec-signzone,
it could incorrectly count the number of ZSKs in the zone. (And in
9.9.0, some code cleanup and improved warning messages). [RT
#20852]
* When using _builtin in named.conf, named.conf changes were not
found when reloading the config file. Now checks _builtin zone
arguments to see if the zone is re-usable or not. [RT #21914]
* Running dnssec-settime -f on an old-style key will now force the
key to be rewritten to the new key for