Release Notes

Introduction

BIND 9.21 is an unstable development release of BIND. This document summarizes new features and functional changes that have been introduced on this branch. With each development release leading up to the stable BIND 9.22 release, this document will be updated with additional features added and bugs fixed. Please see the Changelog file for a more detailed list of changes and bug fixes.

Supported Platforms

See the Supported Platforms section in the Resource Requirements chapter.

Download

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Known Issues

  • On some platforms, including FreeBSD, named must be run as root to use the rndc control channel on a privileged port (i.e., with a port number less than 1024; this includes the default rndc port, 953). Currently, using the named -u option to switch to an unprivileged user makes rndc unusable. This will be fixed in a future release; in the meantime, mac_portacl can be used as a workaround, as documented in https://kb.isc.org/docs/aa-00621. [GL #4793]

Notes for BIND 9.21.0

New Features

  • Implement rndc retransfer -force.

    A new optional argument -force has been added to the command rndc retransfer. When it is specified, named aborts the ongoing zone transfer (if there is one) and starts a new transfer. [GL #2299] [GL !9102]

  • Add support for external log rotation tools.

    Add two mechanisms to close open log files. The first is rndc closelogs. The second is kill -USR1 <pid>. They are intended to be used with external log rotation tools. [GL #4780] [GL !9113]

  • dig now reports a missing QUESTION section for messages with opcode QUERY.

    Query responses should contain the QUESTION section, with some exceptions. dig was not reporting this. [GL #4808] [GL !9233]

Removed Features

  • Remove OpenSSL 1.x engine support.

    OpenSSL 1.x engine support has been deprecated in OpenSSL 3.x and is going to be removed from the OpenSSL code base. Remove OpenSSL engine support from BIND 9 in favor of OpenSSL 3.x providers. [GL #4828] [GL !9252]

Feature Changes

  • Require at least OpenSSL 1.1.1.

    OpenSSL 1.1.1 or newer (or an equivalent LibreSSL version) is now required to compile BIND 9. [GL #2806] [GL !9110]

  • Tighten max-recursion-queries and add max-query-restarts configuration statement.

    There were cases when the max-recursion-queries quota was ineffective. It was possible to craft zones that would cause a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting errors in the implementation of max-recursion-queries and by reducing the default value from 100 to 32.

    In addition, a new max-query-restarts configuration statement has been added, which limits the number of times a recursive server will follow CNAME or DNAME records before terminating resolution. This was previously a hard-coded limit of 16 but is now configurable with a default value of 11.

    ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue. [GL #4741] [GL !9281]

  • Allow shorter resolver-query-timeout configuration.

    The minimum allowed value of resolver-query-timeout was lowered from its previous value of 10 000 milliseconds (which is still the default) to 301 milliseconds. Note however that values of 1 to 300 inclusive are interpreted as seconds before applying the limit. A value of zero is interpreted as the default. [GL #4320] [GL !9091]

  • Raise the log level of priming failures.

    When a priming query is complete, it was previously logged at level DEBUG(1), regardless of success or failure. It is now logged to NOTICE in the case of failure. [GL #3516] [GL !9121]

Bug Fixes

  • Fix a crash caused by valid TSIG signatures with invalid time.

    An assertion failure was triggered when the TSIG had a valid cryptographic signature but the time was invalid. This could happen when the times between the primary and secondary servers were not synchronised. The crash has now been fixed. [GL #4811] [GL !9234]

  • Return SERVFAIL for a too long CNAME chain.

    When following long CNAME chains, named was returning NOERROR (along with a partial answer) instead of SERVFAIL, if the chain exceeded the maximum length. This has been fixed. [GL #4449] [GL !9090]

  • Reconfigure catz member zones during named reconfiguration.

    During a reconfiguration, named wasn’t reconfiguring catalog zones’ member zones. This has been fixed. [GL #4733]

  • Update key lifetime and metadata after dnssec-policy reconfiguration.

    Adjust key state and timing metadata if dnssec-policy key lifetime configuration is updated, so that it also affects existing keys. [GL #4677] [GL !9118]

  • Fix a crash during zone modification.

    Fix an assertion failure that could happen when an authoritative zone was modified while the server was generating an answer from that zone. [GL #4691] [GL !9126]

  • Fix assertion failure when executing named-checkconf -v to print its version. [GL #4827] [GL !9243]

  • Fix generation of 6to4-self name expansion from IPv4 address.

    The period between the most significant nibble of the encoded IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the wrong name being checked. This has been fixed. [GL #4766] [GL !9099]

  • dig +yaml was producing unexpected and/or invalid YAML. output. [GL #4796] [GL !9127]

  • SVBC ALPN text parsing failed to reject zero-length ALPN. [GL #4775] [GL !9106]

  • Fix false QNAME minimisation error being reported.

    Remove the false positive success resolving log message when QNAME minimisation is in effect and the final result is an NXDOMAIN. [GL #4784] [GL !9117]

  • Fix --enable-tracing build on systems without dtrace.

    A missing util/dtrace.sh file prevented builds on systems without the dtrace utility. This has been corrected. [GL #4835] [GL !9262]

Known Issues

  • There are no new known issues with this release. See above for a list of all known issues affecting this BIND 9 branch.

License

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

End of Life

BIND 9.21 is an unstable development branch. When its development is complete, it will be renamed to BIND 9.22, which will be a stable branch. The end-of-life date for BIND 9.22 has not yet been determined. For those needing long-term stability, the current Extended Support Version (ESV) is BIND 9.18, which will be supported until at least December 2025. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible.