Commit 60e1a4f7 authored by ISC's avatar ISC Committed by Internet Software Consortium, Inc

9.10.0b1

parent eba428e8
--- 9.10.0b1 released ---
3755. [func] Add stats counters for known EDNS options + others.
[RT #35447]
3754. [cleanup] win32: Installer now places files in the
Program Files area rather than system services.
[RT #35361]
3753. [bug] allow-notify was ignoring keys. [RT #35425]
3752. [bug] Address potential REQUIRE failure if
DNS_STYLEFLAG_COMMENTDATA is set when printing out
a rdataset.
3751. [tuning] The default setting for the -U option (setting
the number of UDP listeners per interface) has
been adjusted to improve performance. [RT #35417]
3750. [experimental] Partially implement EDNS EXPIRE option as described
in draft-andrews-dnsext-expire-00. Retrieval of
the remaining time until expiry for slave zones
is supported.
EXPIRE uses an experimental option code (65002),
which is subject to change. [RT #35416]
3749. [func] "dig +subnet" sends an EDNS client subnet option
containing the specified address/prefix when
querying. (Thanks to Wilmer van der Gaast.)
[RT #35415]
3748. [test] Use delve to test dns_client interfaces. [RT #35383]
3747. [bug] A race condition could lead to a core dump when
destroying a resolver fetch object. [RT #35385]
3746. [func] New "max-zone-ttl" option enforces maximum
TTLs for zones. If loading a zone containing a
higher TTL, the load fails. DDNS updates with
higher TTLs are accepted but the TTL is truncated.
(Note: Currently supported for master zones only;
inline-signing slaves will be added.) [RT #38405]
3745. [func] "configure --with-tuning=large" adjusts various
compiled-in constants and default settings to
values suited to large servers with abundant
memory. [RT #29538]
3744. [experimental] SIT: send and process Source Identity Tokens
(similar to DNS Cookies by Donald Eastlake 3rd),
which are designed to help clients detect off-path
spoofed responses and for servers to identify
legitimate clients.
SIT uses an experimental EDNS option code (65001),
which will be changed to an IANA-assigned value
if the experiment is deemed a success.
SIT can be enabled via "configure --enable-sit" (or
--enable-developer). It is enabled by default in
Windows.
Servers can be configured to send smaller responses
to clients that have not identified themselves via
SIT. RRL processing has also been updated;
legitimate clients are not subject to rate
limiting. [RT #35389]
3743. [bug] delegation-only flag wasn't working in forward zone
declarations despite being documented. This is
needed to support turning off forwarding and turning
on delegation only at the same name. [RT #35392]
3742. [port] linux: libcap support: declare curval at start of
block. [RT #35387]
3741. [func] "delve" (domain entity lookup and validation engine):
A new tool with dig-like semantics for performing DNS
lookups, with internal DNSSEC validation, using the
same resolver and validator logic as named. This
allows easy validation of DNSSEC data in environments
with untrustworthy resolvers, and assists with
troubleshooting of DNSSEC problems. (Note: not yet
available on win32.) [RT #32406]
3740. [contrib] Minor fixes to configure --with-dlz-bdb,
--with-dlz-postgres and --with-dlz-odbc. [RT #35340]
3739. [func] Added per-zone stats counters to track TCP and
UDP queries. [RT #35375]
3738. [bug] --enable-openssl-hash failed to build. [RT #35343]
3737. [bug] 'rndc retransfer' could trigger a assertion failure
with inline zones. [RT #35353]
3736. [bug] nsupdate: When specifying a server by name,
fall back to alternate addresses if the first
address for that name is not reachable. [RT #25784]
3735. [cleanup] Merged the libiscpk11 library into libisc
to simplify dependencies. [RT #35205]
3734. [bug] Improve building with libtool. [RT #35314]
3733. [func] Improve interface scanning support. Interface
information will be automatically updated if the
OS supports routing sockets (MacOS, *BSD, Linux).
Use "automatic-interface-scan no;" to disable.
Add "rndc scan" to trigger a scan. [RT #23027]
3732. [contrib] Fixed a type mismatch causing the ODBC DLZ
driver to dump core on 64-bit systems. [RT #35324]
3731. [func] Added a "no-case-compress" ACL, which causes
named to use case-insensitive compression
(disabling change #3645) for specified
clients. (This is useful when dealing
with broken client implementations that
use case-sensitive name comparisons,
rejecting responses that fail to match the
capitalization of the query that was sent.)
[RT #35300]
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]
3729. [bug] dnssec-keygen could set the publication date
incorrectly when only the activation date was
specified on the command line. [RT #35278]
3728. [doc] Expanded native-PKCS#11 documentation,
specifically pkcs11: URI labels. [RT #35287]
3727. [func] The isc_bitstring API is no longer used and
has been removed from libisc. [RT #35284]
3726. [cleanup] Clarified the error message when attempting
to configure more than 32 response-policy zones.
[RT #35283]
3725. [contrib] Updated zkt and nslint to newest versions,
cleaned up and rearranged the contrib
directory, and added a README.
--- 9.10.0a2 released ---
3724. [bug] win32: Fixed a bug that prevented dig and
......@@ -2050,7 +2198,7 @@
as a zone's masters clause. This means it is
now possible to specify a TSIG key to use when
sending notifies to a given server, or to include
an explicit named masters list in an also-notfiy
an explicit named masters list in an also-notify
statement. [RT #23508]
3108. [cleanup] dnssec-signzone: Clarified some error and
......
......@@ -23,6 +23,7 @@ top_srcdir = @top_srcdir@
SUBDIRS = make unit lib bin doc @LIBEXPORT@
TARGETS =
PREREQS = bind.keys.h
MANPAGES = isc-config.sh.1
......@@ -32,6 +33,9 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
distclean::
rm -f config.cache config.h config.log config.status TAGS
rm -f libtool isc-config.sh configure.lineno
......@@ -41,6 +45,7 @@ distclean::
# to make it.
maintainer-clean::
rm -f configure
rm -f bind.keys.h
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
......
......@@ -57,14 +57,36 @@ BIND 9.10.0
releases. New features include:
- DNS Response-rate limiting (DNS RRL), which blunts the
impact of reflection and amplification attacks, is
always compiled in and no longer requires a compile-time
option to enable it.
- A new zone file format, "map", allows zone data to be
stored in a format that can be mapped directly into memory,
allowing much faster zone loading.
impact of reflection and amplification attacks, is always
compiled in and no longer requires a compile-time option
to enable it.
- An experimental "Source Identity Token" (SIT) EDNS option
is now available. Similar to DNS Cookies as invented by
Donald Eastlake 3rd, these are designed to enable clients
to detect off-path spoofed responses, and to enable servers
to detect spoofed-source queries. Servers can be configured
to send smaller responses to clients that have not identified
themselves using a SIT option, reducing the effectiveness of
amplification attacks. RRL processing has also been updated;
clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this
feature in BIND.
- A new zone file format, "map", stores zone data in a
format that can be mapped directly into memory, allowing
significantly faster zone loading.
- "delve" (domain entity lookup and validation engine) is a
new tool with dig-like semantics for looking up DNS data
and performing internal DNSSEC validation. This allows
easy validation in environments where the resolver may
not be trustworthy, and assists with troubleshooting of
DNSSEC problems.
- Improved EDNS(0) processing for better resolver performance
and reliability over slow or lossy connections.
- A new "configure --with-tuning=large" option tunes certain
compiled-in constants and default settings to values better
suited to large servers with abundant memory. This can
improve performance on such servers, but will consume more
memory and may degrade performance on smaller systems.
- Substantial improvement in response-policy zone (RPZ)
performance. Up to 32 response-policy zones can be
configured with minimal performance loss.
......@@ -76,33 +98,47 @@ BIND 9.10.0
- New "rpz-client-ip" triggers and drop policies allowing
response policies based on the IP address of the client.
- ACLs can now be specified based on geographic location
using the MaxMind GeoIP databases.
using the MaxMind GeoIP databases. Use "configure
--with-geoip" to enable.
- Zone data can now be shared between views, allowing
multiple views to serve the same zones authoritatively
without storing multiple copies in memory.
- New XML schema (version 3) for the statistics channel
includes many new statistics and uses a flattened XML tree
for faster parsing.
for faster parsing. The older schema is now deprecated.
- A new stylesheet, based on the Google Charts API, displays
XML statistics in charts and graphs on javascript-enabled
browsers.
- The statistics channel can now provide data in JSON
format as well as XML.
- New stats counters track TCP and UDP queries on a
per-zone basis.
- The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself.
- A new compile-time option allows the BIND 9 cryptography
functions to use the PKCS#11 API natively, so that BIND
can drive a cryptographic hardware service module directly
instead of using a modified OpenSSL as an intermediary.
This has been tested with the Thales nShield HSM and with
SoftHSMv2 from the Open DNSSEC project.
- New 'dnssec-coverage' tool to check DNSSEC key coverage
- A new compile-time option, "configure --enable-native-pkcs11",
allows BIND 9 cryptography functions to use the PKCS#11 API
natively, so that BIND can drive a cryptographic hardware
service module (HSM) directly instead of using a modified
OpenSSL as an intermediary. This has been tested with the
Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC
project.
- The new "max-zone-ttl" option enforces maximum TTLs for
zones. This can simplify the process of rolling DNSSEC keys
by guaranteeing that cached signatures will have expired
within the specified amount of time.
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
querying.
- "dig +expire" sends an EDNS EXPIRE option when querying.
When this option is sent with an SOA query to a server
that supports it, it will report the expiry time of
a slave zone.
- New "dnssec-coverage" tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has
been inadvertently scheduled.
- Signing algorithm flexibility and other improvements
for the "rndc" control channel.
- 'named-checkzone' and 'named-compilezone' can now read
- "named-checkzone" and "named-compilezone" can now read
journal files, allowing them to process dynamic zones.
- Multiple DLZ databases can now be configured. Individual
zones can be configured to be served from a specific DLZ
......@@ -112,10 +148,11 @@ BIND 9.10.0
- "named" now listens on IPv6 as well as IPv4 interfaces
by default.
- "named" now preserves the capitalization of names when
responding to queries.
responding to queries. The former behavior can be restored
for specific clients via the new "no-case-compress" ACL.
- new "dnssec-importkey" command allows the use of offline
DNSSEC keys with automatic DNSKEY management.
- New 'named-rrchecker' tool to verify the syntactic
- New "named-rrchecker" tool to verify the syntactic
correctness of individual resource records.
- When re-signing a zone, the new "dnssec-signzone -Q" option
drops signatures from keys that are still published but are
......@@ -124,7 +161,11 @@ BIND 9.10.0
files with the shared secrets obscured, making it easier to
share configuration (e.g. when submitting a bug report)
without revealing private information.
- "rndc scan" causes named to re-scan network interfaces for
changes in local addresses.
- On operating systems with support for routing sockets,
network interfaces are re-scanned automatically whenever
they change.
BIND 9.9.0
......@@ -286,6 +327,14 @@ Building
To build shared libraries, specify "--with-libtool" on the
configure command line.
Certain compiled-in constants and default settings can be
increased to values better suited to large servers with abundant
memory resources (e.g, 64-bit servers with 12G or more of memory)
by specifying "--with-tuning=large" on the configure command
line. This can improve performance on big servers, but will
consume more memory and may degrade performance on smaller
systems.
For the server to support DNSSEC, you need to build it
with crypto support. You must have OpenSSL 0.9.5a
or newer installed and specify "--with-openssl" on the
......@@ -416,6 +465,14 @@ Change Log
[doc] Documentation
[contrib] Changes to the contributed tools and
libraries in the 'contrib' subdirectory
[placeholder] Used in the master development branch to
reserve change numbers for use in other
branches, e.g. when fixing a bug that only
exists in older releases
In general, [func] and [experimental] tags will only appear
in new-feature releases (i.e., those with version numbers
ending in zero). Some new functionality may be backported to
......
# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2004, 2007, 2009, 2012-2014 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
......@@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
SUBDIRS = named rndc dig delve dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
......
......@@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES} ${ISCPK11_INCLUDES}
${ISC_INCLUDES}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
......@@ -34,13 +34,11 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
......@@ -72,15 +70,14 @@ named-checkzone.@O@: named-checkzone.c
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS} ${ISCPK11DEPLIBS}
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ \
${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
......
/*
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
......@@ -40,12 +40,17 @@
#include <isc/types.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dns/result.h>
#include <dns/types.h>
#include <dns/zone.h>
......@@ -108,6 +113,7 @@ unsigned int zone_options = DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_CHECKWILDCARD |
DNS_ZONEOPT_WARNMXCNAME |
DNS_ZONEOPT_WARNSRVCNAME;
unsigned int zone_options2 = 0;
/*
* This needs to match the list in bin/named/log.c.
......@@ -577,11 +583,93 @@ setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
return (ISC_R_SUCCESS);
}
/*% scan the zone for oversize TTLs */
static isc_result_t
check_ttls(dns_zone_t *zone, dns_ttl_t maxttl) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbversion_t *version = NULL;
dns_dbnode_t *node = NULL;
dns_dbiterator_t *dbiter = NULL;
dns_rdatasetiter_t *rdsiter = NULL;
dns_rdataset_t rdataset;
dns_fixedname_t fname;
dns_name_t *name;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_rdataset_init(&rdataset);
CHECK(dns_zone_getdb(zone, &db));
INSIST(db != NULL);
CHECK(dns_db_newversion(db, &version));
CHECK(dns_db_createiterator(db, 0, &dbiter));
for (result = dns_dbiterator_first(dbiter);
result == ISC_R_SUCCESS;
result = dns_dbiterator_next(dbiter)) {
result = dns_dbiterator_current(dbiter, &node, name);
if (result == DNS_R_NEWORIGIN)
result = ISC_R_SUCCESS;
CHECK(result);
CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsiter));
for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) {
dns_rdatasetiter_current(rdsiter, &rdataset);
if (rdataset.ttl > maxttl) {
char nbuf[DNS_NAME_FORMATSIZE];
char tbuf[255];
isc_buffer_t b;
isc_region_t r;
dns_name_format(name, nbuf, sizeof(nbuf));
isc_buffer_init(&b, tbuf, sizeof(tbuf) - 1);
CHECK(dns_rdatatype_totext(rdataset.type, &b));
isc_buffer_usedregion(&b, &r);
r.base[r.length] = 0;
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/%s TTL %d exceeds "
"maximum TTL %d",
nbuf, tbuf, rdataset.ttl, maxttl);
dns_rdataset_disassociate(&rdataset);
CHECK(ISC_R_RANGE);
}
dns_rdataset_disassociate(&rdataset);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
CHECK(result);
dns_rdatasetiter_destroy(&rdsiter);
dns_db_detachnode(db, &node);
}
if (result == ISC_R_NOMORE)
result = ISC_R_SUCCESS;
cleanup:
if (node != NULL)
dns_db_detachnode(db, &node);
if (rdsiter != NULL)
dns_rdatasetiter_destroy(&rdsiter);
if (dbiter != NULL)
dns_dbiterator_destroy(&dbiter);
if (version != NULL)
dns_db_closeversion(db, &version, ISC_FALSE);
if (db != NULL)
dns_db_detach(&db);
return (result);
}
/*% load the zone */
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_masterformat_t fileformat, const char *classname,
dns_zone_t **zonep)
dns_ttl_t maxttl, dns_zone_t **zonep)
{
isc_result_t result;
dns_rdataclass_t rdclass;
......@@ -618,7 +706,11 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_zone_setclass(zone, rdclass);
dns_zone_setoption(zone, zone_options, ISC_TRUE);
dns_zone_setoption2(zone, zone_options2, ISC_TRUE);
dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);