Commit d2e900b3 authored by Ondrej Sury's avatar Ondrej Sury

New upstream version 9.15.0

parent a1052ac7
......@@ -60,5 +60,12 @@
(eval setq flycheck-clang-include-path include-directories)
(eval setq flycheck-cppcheck-include-path include-directories)
(eval setq flycheck-clang-args
(list
"-include"
(expand-file-name
(concat directory-of-current-dir-locals-file "config.h"))
)
)
)
))
*.sln.in eol=crlf
*.vcxproj.in eol=crlf
*.vcxproj.filters.in eol=crlf
*.vcxproj.* eol=crlf
--- 9.14.2 released ---
--- 9.15.0 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
5232. [placeholder]
5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
[GL #960]
5230. [protocol] The SHA-1 hash algorithm is no longer used when
generating DS and CDS records. [GL #1015]
5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
5228. [cleanup] If trusted-keys and managed-keys are configured
simultaneously for the same name, the key cannot
be rolled automatically. This configuration now
logs a warning. [GL #868]
5228. [func] If trusted-keys and managed-keys were configured
simultaneously for the same name, the key could
not be be rolled automatically. This is now
a fatal configuration error. [GL #868]
5227. [placeholder]
5226. [placeholder]
5225. [func] Allow dig to print out AAAA record fully expanded.
with +[no]expandaaaa. [GL #765]
5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
......@@ -48,6 +60,8 @@
as a service to be killed prematurely during shutdown.
[GL #978]
5212. [placeholder]
5211. [bug] Allow out-of-zone additional data to be included
in authoritative responses if recursion is allowed
and "minimal-responses" is disabled. This behavior
......@@ -81,11 +95,6 @@
5202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
5190. [bug] Ignore trust anchors using disabled algorithms.
[GL #806]
--- 9.14.1 released ---
5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
5200. [security] tcp-clients settings could be exceeded in some cases,
......@@ -116,25 +125,38 @@
5193. [bug] EID and NIMLOC failed to do multi-line output
correctly. [GL #899]
5192. [placeholder]
5191. [placeholder]
5190. [bug] Ignore trust anchors using disabled algorithms.
[GL #806]
5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
5188. [func] The "dnssec-enable" option is deprecated and no
longer has any effect; DNSSEC responses are
always enabled. [GL #866]
5187. [test] Set time zone before running any tests in dnstap_test.
[GL #940]
5186. [cleanup] More dnssec-keygen manual tidying. [GL !1678]
5185. [placeholder]
5184. [bug] Missing unlocks in sdlz.c. [GL #936]
5183. [bug] Reinitialize ECS data before reusing client
structures. [GL #881]
--- 9.14.0 released ---
--- 9.14.0rc3 released ---
5182. [bug] Fix a high-load race/crash in handling of
isc_socket_close() in resolver. [GL #834]
5181. [func] Add a mechanism for a DLZ module to signal that
the view's allow-transfer ACL should be used to
determine whether transfers are allowed. [GL #803]
5180. [bug] delv now honors the operating system's preferred
ephemeral port range. [GL #925]
......@@ -149,11 +171,6 @@
response-policy zone's SOA record should be added
to the additional section (add-soa yes/no). [GL #865]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
--- 9.14.0rc2 released ---
5176. [tests] Remove a dependency on libxml in statschannel system
test. [GL #926]
......@@ -183,12 +200,15 @@
empty node could cause a crash while processing a
type ANY query. [GL #901]
--- 9.14.0rc1 released ---
5168. [bug] Do not crash on shutdown when RPZ fails to load. Also,
keep previous version of the database if RPZ fails to
load. [GL #813]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
5166. [placeholder]
5165. [contrib] Removed SDB drivers from contrib; they're obsolete.
[GL #428]
......@@ -216,20 +236,6 @@
5157. [bug] Nslookup now errors out if there are extra command
line arguments. [GL #207]
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
--- 9.13.6 released ---
5156. [doc] Extended and refined the section of the ARM describing
mirror zones. [GL #774]
......@@ -288,6 +294,10 @@
and "nsdname-enable" both now default to yes,
regardless of compile-time settings. [GL #824]
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
5140. [bug] Don't immediately mark existing keys as inactive and
deleted when running dnssec-keymgr for the first
time. [GL #117]
......@@ -358,6 +368,11 @@
5119. [placeholder]
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5117. [placeholder]
5116. [bug] Named/named-checkconf triggered a assertion when
......@@ -378,6 +393,9 @@
5111. [bug] Occluded DNSKEY records could make it into the
delegating NSEC/NSEC3 bitmap. [GL #742]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
--- 9.13.5 released ---
......
Functional enhancements from prior major releases of BIND 9
BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch) includes
a number of changes from BIND 9.12 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below
which DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with libidn2.
* "named -V" now outputs the default paths for files used by named and
other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See https://dnsflagday.net for more details.
Cryptographic support has been modernized. BIND now uses the best
available pseudo-random number generator for the platform on which it's
built. Very old versions of OpenSSL are no longer supported. Cryptography
is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier
releases. New features include:
* named and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting 'max-journal-size default' now limits the size of journal
files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in rndc-confgen is now hmac-sha256.
* filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
......
......@@ -10,6 +10,81 @@
-->
### Functional enhancements from prior major releases of BIND 9
#### BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch)
includes a number of changes from BIND 9.12 and earlier releases.
New features include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
* Secondary zones can now be configured as "mirror" zones; their contents
are transferred in as with traditional slave zones, but are subject to
DNSSEC validation and are not treated as authoritative data when
answering. This makes it easier to configure a local copy of the root
zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below which
DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with `libidn2`.
* "named -V" now outputs the default paths for files used by named
and other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See [https://dnsflagday.net](https://dnsflagday.net)
for more details.
Cryptographic support has been modernized. BIND now uses the
best available pseudo-random number generator for the platform on which
it's built. Very old versions of OpenSSL are no longer supported.
Cryptography is now mandatory: building BIND without DNSSEC is no
longer supported.
Special code to support certain legacy operating systems has also
been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
of supported platforms. In addition to OpenSSL, BIND now requires
support for IPv6, threads, and standard atomic operations provided
by the C compiler.
#### BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier releases.
New features include:
* `named` and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones --
and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been moved
into a new `libns` library, for easier testing and use in tools other
than `named`.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting `'max-journal-size default'` now limits the size of journal files
to twice the size of the zone.
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `dnstap` output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or ISO
8601 (UTC) formats.
* Logging channels and `dnstap` output files can now be configured to use a
timestamp as the suffix when rolling to a new file.
* `'named-checkconf -l'` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in `rndc-confgen` is now hmac-sha256.
* `filter-aaaa-on-v4` and `filter-aaaa-on-v6` options are now available
by default without a configure option.
* The obsolete `isc-hmac-fixup` command has been removed.
#### BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
......
......@@ -13,7 +13,7 @@ offer support on a "best effort" basis for some.
Regularly tested platforms
As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
......@@ -51,7 +51,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
Unsupported platforms
These are platforms on which BIND 9.14 is known not to build or run:
These are platforms on which BIND 9.15 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
......
......@@ -23,7 +23,7 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
As of Feb 2019, BIND 9.14 is fully supported and regularly tested on the
As of Feb 2019, BIND 9.15 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
......@@ -60,7 +60,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
## Unsupported platforms
These are platforms on which BIND 9.14 is known *not* to build or run:
These are platforms on which BIND 9.15 is known *not* to build or run: