BIND 9.7.0a3 is now available.
BIND 9.7.0a3 is the third alpha release of BIND 9.7.0.
Overview:
This is a technology preview of new functionality to be
included in BIND 9.7.0. Not all new functionality is in
place. APIs and configuration syntax are not yet frozen.
BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.
New features include:
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace an assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support (see
README.pkcs11 for additional details).
Additional features planned but not included in this alpha release:
- Fully automatic signing of zones by "named"
- Additional PKCS#11 support, including multiple OpenSSL engines
BIND 9.7.0a3 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.7.0a3/bind-9.7.0a3.tar.gz
The PGP signature of the distribution is at:
ftp://ftp.isc.org/isc/bind9/9.7.0a3/bind-9.7.0a3.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/bind-9.7.0a3.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/bind-9.7.0a3.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.zip
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.debug.zip
The PGP signature of the binary kit is at:
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0a3/BIND9.7.0a3.debug.zip.sha512.asc
Changes since previous alpha (9.7.0a2):
--- 9.7.0a3 released ---
2674. [bug] "dnssec-lookaside auto;" crashed if named was built
without openssl. [RT #20231]
2673. [bug] The managed-keys.bind zone file could fail to
load due to a spurious result from sync_keyzone()
[RT #20045]
2672. [bug] Don't enable searching in 'host' when doing reverse
lookups. [RT #20218]
2671. [bug] Add support for PKCS#11 providers not returning
the public exponent in RSA private keys
(OpenCryptoki for instance) in
dnssec-keyfromlabel. [RT #19294]
2670. [bug] Unexpected connect failures failed to log enough
information to be useful. [RT #20205]
2669. [func] Update PKCS#11 support to support Keyper HSM.
Update PKCS#11 patch to be against openssl-0.9.8i.
2668. [func] Several improvements to dnssec-* tools, including:
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942]
2667. [func] Add support for logging stack backtrace on assertion
failure (not available for all platforms). [RT #19780]
2666. [func] Added an 'options' argument to dns_name_fromstring()
(API change from 9.7.0a2). [RT #20196]
2665. [func] Clarify syntax for managed-keys {} statement, add
ARM documentation about RFC 5011 support. [RT #19874]
2664. [bug] create_keydata() and minimal_update() in zone.c
didn't properly check return values for some
functions. [RT #19956]
2663. [func] win32: allow named to run as a service using
"NT AUTHORITY\LocalService" as the account. [RT #19977]
2662. [bug] lwres_getipnodebyname() and lwres_getipnodebyaddr()
returned a misleading error code when lwresd was
down. [RT #20028]
2661. [bug] Check whether socket fd exceeds FD_SETSIZE when
creating lwres context. [RT #20029]
2660. [func] Add a new set of DNS libraries for non-BIND9
applications. See README.libdns. [RT #19369]
2659. [doc] Clarify dnssec-keygen doc: key name must match zone
name for DNSSEC keys. [RT #19938]
2658. [bug] dnssec-settime and dnssec-revoke didn't process
key file paths correctly. [RT #20078]
2657. [cleanup] Lower "journal file <path> does not exist, creating it"
log level to debug 1. [RT #20058]
2656. [func] win32: add a "tools only" check box to the installer
which causes it to only install dig, host, nslookup,
nsupdate and relevant DLLs. [RT #19998]
2655. [doc] Document that key-directory does not affect
bind.keys, rndc.key or session.key. [RT #20155]
2654. [bug] Improve error reporting on duplicated names for
deny-answer-xxx. [RT #20164]
2653. [bug] Treat ENGINE_load_private_key() failures as key
not found rather than out of memory. [RT #18033]
2652. [func] Provide more detail about what record is being
deleted. [RT #20061]
2651. [bug] Dates could print incorrectly in K*.key files on
64-bit systems. [RT #20076]
2650. [bug] Assertion failure in dnssec-signzone when trying
to read keyset-* files. [RT #20075]
2649. [bug] Set the domain for forward only zones. [RT #19944]
2648. [port] win32: isc_time_seconds() was broken. [RT #19900]
2647. [bug] Remove unnecessary SOA updates when a new KSK is
added. [RT #19913]
2646. [bug] Incorrect cleanup on error in socket.c. [RT #19987]
2645. [port] "gcc -m32" didn't work on amd64 and x86_64 platforms
which default to 64 bits. [RT #19927]
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
