Commit 0d05f46a authored by Ondrej Sury's avatar Ondrej Sury

New upstream version 9.11.2+dfsg

parent 664205aa

Too many changes to show.

To preserve performance only 1000 of 1000+ files are displayed.

This diff is collapsed.
Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Copyright (C) 1996-2017 Internet Systems Consortium, Inc. ("ISC")
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Portions of this code release fall under one or more of the
following Copyright notices. Please see individual source
......@@ -536,3 +529,66 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (C) 2008-2011 Red Hat, Inc.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 2013-2014, Farsight Security, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 2014 by Farsight Security, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
This diff is collapsed.
Functional enhancements from prior major releases of BIND 9
BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
* DNS Response-rate limiting (DNS RRL), which blunts the impact of
reflection and amplification attacks, is always compiled in and no
longer requires a compile-time option to enable it.
* An experimental "Source Identity Token" (SIT) EDNS option is now
available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
these are designed to enable clients to detect off-path spoofed
responses, and to enable servers to detect spoofed-source queries.
Servers can be configured to send smaller responses to clients that
have not identified themselves using a SIT option, reducing the
effectiveness of amplification attacks. RRL processing has also been
updated; clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this feature in
BIND.
* A new zone file format, "map", stores zone data in a format that can
be mapped directly into memory, allowing significantly faster zone
loading.
* "delv" (domain entity lookup and validation) is a new tool with
dig-like semantics for looking up DNS data and performing internal
DNSSEC validation. This allows easy validation in environments where
the resolver may not be trustworthy, and assists with troubleshooting
of DNSSEC problems. (NOTE: In previous development releases of BIND
9.10, this utility was called "delve". The spelling has been changed
to avoid confusion with the "delve" utility included with the Xapian
search engine.)
* Improved EDNS(0) processing for better resolver performance and
reliability over slow or lossy connections.
* A new "configure --with-tuning=large" option tunes certain compiled-in
constants and default settings to values better suited to large
servers with abundant memory. This can improve performance on such
servers, but will consume more memory and may degrade performance on
smaller systems.
* Substantial improvement in response-policy zone (RPZ) performance. Up
to 32 response-policy zones can be configured with minimal performance
loss.
* To improve recursive resolver performance, cache records which are
still being requested by clients can now be automatically refreshed
from the authoritative server before they expire, reducing or
eliminating the time window in which no answer is available in the
cache.
* New "rpz-client-ip" triggers and drop policies allowing response
policies based on the IP address of the client.
* ACLs can now be specified based on geographic location using the
MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
* Zone data can now be shared between views, allowing multiple views to
serve the same zones authoritatively without storing multiple copies
in memory.
* New XML schema (version 3) for the statistics channel includes many
new statistics and uses a flattened XML tree for faster parsing. The
older schema is now deprecated.
* A new stylesheet, based on the Google Charts API, displays XML
statistics in charts and graphs on javascript-enabled browsers.
* The statistics channel can now provide data in JSON format as well as
XML.
* New stats counters track TCP and UDP queries received per zone, and
EDNS options received in total.
* The internal and export versions of the BIND libraries (libisc,
libdns, etc) have been unified so that external library clients can
use the same libraries as BIND itself.
* A new compile-time option, "configure --enable-native-pkcs11", allows
BIND 9 cryptography functions to use the PKCS#11 API natively, so that
BIND can drive a cryptographic hardware service module (HSM) directly
instead of using a modified OpenSSL as an intermediary. (Note: This
feature requires an HSM to have a full implementation of the PKCS#11
API; many current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness. Native
PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
version 2 from the Open DNSSEC project.)
* The new "max-zone-ttl" option enforces maximum TTLs for zones. This
can simplify the process of rolling DNSSEC keys by guaranteeing that
cached signatures will have expired within the specified amount of
time.
* "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
* "dig +expire" sends an EDNS EXPIRE option when querying. When this
option is sent with an SOA query to a server that supports it, it will
report the expiry time of a slave zone.
* New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
report if a lapse in signing coverage has been inadvertently
scheduled.
* Signing algorithm flexibility and other improvements for the "rndc"
control channel.
* "named-checkzone" and "named-compilezone" can now read journal files,
allowing them to process dynamic zones.
* Multiple DLZ databases can now be configured. Individual zones can be
configured to be served from a specific DLZ database. DLZ databases
now serve zones of type "master" and "redirect".
* "rndc zonestatus" reports information about a specified zone.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* "named" now preserves the capitalization of names when responding to
queries: for instance, a query for "example.com" may be answered with
"example.COM" if the name was configured that way in the zone file.
Some clients have a bug causing them to depend on the older behavior,
in which the case of the answer always matched the case of the query,
rather than the case of the name configured in the DNS. Such clients
can now be specified in the new "no-case-compress" ACL; this will
restore the older behavior of "named" for those clients only.
* new "dnssec-importkey" command allows the use of offline DNSSEC keys
with automatic DNSKEY management.
* New "named-rrchecker" tool to verify the syntactic correctness of
individual resource records.
* When re-signing a zone, the new "dnssec-signzone -Q" option drops
signatures from keys that are still published but are no longer
active.
* "named-checkconf -px" will print the contents of configuration files
with the shared secrets obscured, making it easier to share
configuration (e.g. when submitting a bug report) without revealing
private information.
* "rndc scan" causes named to re-scan network interfaces for changes in
local addresses.
* On operating systems with support for routing sockets, network
interfaces are re-scanned automatically whenever they change.
* "tsig-keygen" is now available as an alternate command name to use for
"ddns-confgen".
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
......
<!--
- Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
### Functional enhancements from prior major releases of BIND 9
#### BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
- DNS Response-rate limiting (DNS RRL), which blunts the
impact of reflection and amplification attacks, is always
compiled in and no longer requires a compile-time option
to enable it.
- An experimental "Source Identity Token" (SIT) EDNS option
is now available. Similar to DNS Cookies as invented by
Donald Eastlake 3rd, these are designed to enable clients
to detect off-path spoofed responses, and to enable servers
to detect spoofed-source queries. Servers can be configured
to send smaller responses to clients that have not identified
themselves using a SIT option, reducing the effectiveness of
amplification attacks. RRL processing has also been updated;
clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this
feature in BIND.
- A new zone file format, "map", stores zone data in a
format that can be mapped directly into memory, allowing
significantly faster zone loading.
- "delv" (domain entity lookup and validation) is a new tool
with dig-like semantics for looking up DNS data and performing
internal DNSSEC validation. This allows easy validation in
environments where the resolver may not be trustworthy, and
assists with troubleshooting of DNSSEC problems. (NOTE:
In previous development releases of BIND 9.10, this utility
was called "delve". The spelling has been changed to avoid
confusion with the "delve" utility included with the Xapian
search engine.)
- Improved EDNS(0) processing for better resolver performance
and reliability over slow or lossy connections.
- A new "configure --with-tuning=large" option tunes certain
compiled-in constants and default settings to values better
suited to large servers with abundant memory. This can
improve performance on such servers, but will consume more
memory and may degrade performance on smaller systems.
- Substantial improvement in response-policy zone (RPZ)
performance. Up to 32 response-policy zones can be
configured with minimal performance loss.
- To improve recursive resolver performance, cache records
which are still being requested by clients can now be
automatically refreshed from the authoritative server
before they expire, reducing or eliminating the time
window in which no answer is available in the cache.
- New "rpz-client-ip" triggers and drop policies allowing
response policies based on the IP address of the client.
- ACLs can now be specified based on geographic location