2011年9月 2日

[installer 2933] BIND 9.9.0a1

BIND 9.9.0a1 出ています。

README より:

BIND 9.9.0

BIND 9.9.0 includes a number of changes from BIND 9.6 and earlier
releases. New features include:


- NXDOMAIN redirection.
- Improved scalability from using multiple threads to
listen for queries.
- New 'rndc flushtree' command clears all data under a given
name from the DNS cache.
- New 'rndc sync' command dumps pending changes in a dynamic zone
to disk without a freeze/thaw cycle.
- The 'also-notify' option now takes the same syntax as
'masters', so it can used named masterlists and TSIG keys.
- 'auto-dnssec' zones can now have NSEC3 parameters set prior
to signing.
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
- 'dnssec-signzone -R' forces removal of signatures that are
not expired but were created by a key which no longer exists.
- 'dnssec-signzone -X' allows a separate expiration date to
be specified for DNSKEY signatures from other signatures.
- New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
- dnssec-dsfromkey now supports reading from standard input,
to make it easier to convert DNSKEY to DS.
- RFC 1918 reverse zones have been added to the empty-zones
table per RFC 6303.
- Dynamic updates can now optionally set the zone's SOA serial
number to the current UNIX time.


☆ BIND 9.9.0a1
https://www.isc.org/software/bind
ftp://ftp.isc.org/isc/bind/9.9.0a1/bind-9.9.0a1.tar.gz

9.8.0b1 からの変更点は以下のとおり。

--- 9.9.0a1 released ---

3146. [test] Fixed gcc4.6.0 errors in ATF. [RT #25598]

3145. [test] Capture output of ATF unit tests in "./atf.out" if
there were any errors while running them. [RT #25527]

3144. [bug] dns_dbiterator_seek() could trigger an assert when
used with a nonexistent database node. [RT #25358]

3143. [bug] Silence clang compiler warnings. [RT #25174]

3142. [bug] NAPTR is class agnostic. [RT #25429]

3141. [bug] Silence spurious "zone serial (0) unchanged" messages
associated with empty zones. [RT #25079]

3140. [func] New command "rndc flushtree <name>" clears the
specified name from the server cache along with
all names under it. [RT #19970]

3139. [test] Added tests from RFC 6234, RFC 2202, and RFC 1321
for the hashing algorithms (md5, sha1 - sha512, and
their hmac counterparts). [RT #25067]

3138. [bug] Address memory leaks and out-of-order operations when
shutting named down. [RT #25210]

3137. [func] Improve hardware scalability by allowing multiple
worker threads to process incoming UDP packets.
This can significantly increase query throughput
on some systems. [RT #22992]

3136. [func] Add RFC 1918 reverse zones to the list of built-in
empty zones switched on by the 'empty-zones-enable'
option. [RT #24990]

3135. [port] FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
[RT #24950]

3134. [bug] Improve the accuracy of dnssec-signzone's signing
statistics. [RT #16030]

3133. [bug] Change #3114 was incomplete. [RT #24577]

3132. [placeholder]

3131. [tuning] Improve scalability by allocating one zone task
per 100 zones at startup time, rather than using a
fixed-size task table. [RT #24406]

3130. [func] Support alternate methods for managing a dynamic
zone's serial number. Two methods are currently
defined using serial-update-method, "increment"
(default) and "unixtime". [RT #23849]

3129. [bug] Named could crash on 'rndc reconfig' when
allow-new-zones was set to yes and named ACLs
were used. [RT #22739]

3128. [func] Inserting an NSEC3PARAM via dynamic update in an
auto-dnssec zone that has not been signed yet
will cause it to be signed with the specified NSEC3
parameters when keys are activated. The
NSEC3PARAM record will not appear in the zone until
it is signed, but the parameters will be stored.
[RT #23684]

3127. [bug] 'rndc thaw' will now remove a zone's journal file
if the zone serial number has been changed and
ixfr-from-differences is not in use. [RT #24687]

3126. [security] Using DNAME record to generate replacements caused
RPZ to exit with a assertion failure. [RT #24766]

3125. [security] Using wildcard CNAME records as a replacement with
RPZ caused named to exit with a assertion failure.
[RT #24715]

3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is
used in actual DNS packets. [RT #24777]

3123. [security] Change #2912 exposed a latent flaw in
dns_rdataset_totext() that could cause named to
crash with an assertion failure. [RT #24777]

3122. [cleanup] dnssec-settime: corrected usage message. [RT #24664]

3121. [security] An authoritative name server sending a negative
response containing a very large RRset could
trigger an off-by-one error in the ncache code
and crash named. [RT #24650]

3120. [bug] Named could fail to validate zones listed in a DLV
that validated insecure without using DLV and had
DS records in the parent zone. [RT #24631]

3119. [bug] When rolling to a new DNSSEC key, a private-type
record could be created and never marked complete.
[RT #23253]

3118. [bug] nsupdate could dump core on shutdown when using
SIG(0) keys. [RT #24604]

3117. [cleanup] Remove doc and parser references to the
never-implemented 'auto-dnssec create' option.
[RT #24533]

3116. [func] New 'dnssec-update-mode' option controls updates
of DNSSEC records in signed dynamic zones. Set to
'no-resign' to disable automatic RRSIG regeneration
while retaining the ability to sign new or changed
data. [RT #24533]

3115. [bug] Named could fail to return requested data when
following a CNAME that points into the same zone.
[RT #24455]

3114. [bug] Retain expired RRSIGs in dynamic zones if key is
inactive and there is no replacement key. [RT #23136]

3113. [doc] Document the relationship between serial-query-rate
and NOTIFY messages.

3112. [doc] Add missing descriptions of the update policy name
types "ms-self", "ms-subdomain", "krb5-self" and
"krb5-subdomain", which allow machines to update
their own records, to the BIND 9 ARM.

3111. [bug] Improved consistency checks for dnssec-enable and
dnssec-validation, added test cases to the
checkconf system test. [RT #24398]

3110. [bug] dnssec-signzone: Wrong error message could appear
when attempting to sign with no KSK. [RT #24369]

3109. [func] The also-notify option now uses the same syntax
as a zone's masters clause. This means it is
now possible to specify a TSIG key to use when
sending notifies to a given server, or to include
an explicit named masters list in an also-notfiy
statement. [RT #23508]

3108. [cleanup] dnssec-signzone: Clarified some error and
warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
code (use -P instead). [RT #20852]

3107. [bug] dnssec-signzone: Report the correct number of ZSKs
when using -x. [RT #20852]

3106. [func] When logging client requests, include the name of
the TSIG key if any. [RT #23619]

3105. [bug] GOST support can be suppressed by "configure
--without-gost" [RT #24367]

3104. [bug] Better support for cross-compiling. [RT #24367]

3103. [bug] Configuring 'dnssec-validation auto' in a view
instead of in the options statement could trigger
an assertion failure in named-checkconf. [RT #24382]

3102. [func] New 'dnssec-loadkeys-interval' option configures
how often, in minutes, to check the key repository
for updates when using automatic key maintenance.
Default is every 60 minutes (formerly hard-coded
to 12 hours). [RT #23744]

3101. [bug] Zones using automatic key maintenance could fail
to check the key repository for updates. [RT #23744]

3100. [security] Certain response policy zone configurations could
trigger an INSIST when receiving a query of type
RRSIG. [RT #24280]

3099. [test] "dlz" system test now runs but gives R:SKIPPED if
not compiled with --with-dlz-filesystem. [RT #24146]

3098. [bug] DLZ zones were answering without setting the AA bit.
[RT #24146]

3097. [test] Add a tool to test handling of malformed packets.
[RT #24096]

3096. [bug] Set KRB5_KTNAME before calling log_cred() in
dst_gssapi_acceptctx(). [RT #24004]

3095. [bug] Handle isolated reserved ports in the port range.
[RT #23957]

3094. [doc] Expand dns64 documentation.

3093. [bug] Fix gssapi/kerberos dependencies [RT #23836]

3092. [bug] Signatures for records at the zone apex could go
stale due to an incorrect timer setting. [RT #23769]

3091. [bug] Fixed a bug in which zone keys that were published
and then subsequently activated could fail to trigger
automatic signing. [RT #22911]

3090. [func] Make --with-gssapi default [RT #23738]

3089. [func] dnssec-dsfromkey now supports reading keys from
standard input "dnssec-dsfromkey -f -". [RT# 20662]

3088. [bug] Remove bin/tests/system/logfileconfig/ns1/named.conf
and add setup.sh in order to resolve changing
named.conf issue. [RT #23687]

3087. [bug] DDNS updates using SIG(0) with update-policy match
type "external" could cause a crash. [RT #23735]

3086. [bug] Running dnssec-settime -f on an old-style key will
now force an update to the new key format even if no
other change has been specified, using "-P now -A now"
as default values. [RT #22474]

3085. [func] New '-R' option in dnssec-signzone forces removal
of signatures which have not yet expired but
were generated by a key that no longer exists.
[RT #22471]

3084. [func] A new command "rndc sync" dumps pending changes in
a dynamic zone to disk; "rndc sync -clean" also
removes the journal file after syncing. Also,
"rndc freeze" no longer removes journal files.
[RT #22473]

3083. [bug] NOTIFY messages were not being sent when generating
a NSEC3 chain incrementally. [RT #23702]

3082. [port] strtok_r is threads only. [RT #23747]

3081. [bug] Failure of DNAME substitution did not return
YXDOMAIN. [RT #23591]

3080. [cleanup] Replaced compile time constant by STDTIME_ON_32BITS.
[RT #23587]

3079. [bug] Handle isc_event_allocate failures in t_tasks.
[RT #23572]

3078. [func] Added a new include file with function typedefs
for the DLZ "dlopen" driver. [RT #23629]

3077. [bug] zone.c:zone_refreshkeys() incorrectly called
dns_zone_attach(), use zone->irefs instead. [RT #23303]

3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
dnssec-keyfromlabel sets the default TTL of the
key. When possible, automatic signing will use that
TTL when the key is published. [RT #23304]

3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active.
[RT #23642]

3074. [bug] Make the adb cache read through for zone data and
glue learn for zone named is authoritative for.
[RT #22842]

3073. [bug] managed-keys changes were not properly being recorded.
[RT #20256]

3072. [bug] dns_dns64_aaaaok() potential NULL pointer dereference.
[RT #20256]

3071. [bug] has_nsec could be used unintialised in
update.c:next_active. [RT #20256]

3070. [bug] dnssec-signzone potential NULL pointer dereference.
[RT #20256]

3069. [cleanup] Silence warnings messages from clang static analysis.
[RT #20256]

3068. [bug] Named failed to build with a OpenSSL without engine
support. [RT #23473]

3067. [bug] ixfr-from-differences {master|slave}; failed to
select the master/slave zones. [RT #23580]

3066. [func] The DLZ "dlopen" driver is now built by default,
no longer requiring a configure option. To
disable it, use "configure --without-dlopen".
Driver also supported on win32. [RT #23467]

3065. [bug] RRSIG could have time stamps too far in the future.
[RT #23356]

3064. [bug] powerpc: add sync instructions to the end of atomic
operations. [RT #23469]

3063. [contrib] More verbose error reporting from DLZ LDAP. [RT #23402]

3062. [func] Made several changes to enhance human readability
of DNSSEC data in dig output and in generated
zone files:
- DNSKEY record comments are more verbose, no
longer used in multiline mode only
- multiline RRSIG records reformatted
- multiline output mode for NSEC3PARAM records
- "dig +norrcomments" suppresses DNSKEY comments
- "dig +split=X" breaks hex/base64 records into
fields of width X; "dig +nosplit" disables this.
[RT #22820]

3061. [func] New option "dnssec-signzone -D", only write out
generated DNSSEC records. [RT #22896]

3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]

3059. [test] Added a regression test for change #3023.

3058. [bug] Cause named to terminate at startup or rndc reconfig/
reload to fail, if a log file specified in the conf
file isn't a plain file. [RT #22771]

3057. [bug] "rndc secroots" would abort after the first error
and so could miss some views. [RT #23488]

3056. [func] Added support for URI resource record. [RT #23386]

3055. [placeholder]

3054. [bug] Added elliptic curve support check in
GOST OpenSSL engine detection. [RT #23485]

3053. [bug] Under a sustained high query load with a finite
max-cache-size, it was possible for cache memory
to be exhausted and not recovered. [RT #23371]

3052. [test] Fixed last autosign test report. [RT #23256]

3051. [bug] NS records obsure DNAME records at the bottom of the
zone if both are present. [RT #23035]

3050. [bug] The autosign system test was timing dependent.
Wait for the initial autosigning to complete
before running the rest of the test. [RT #23035]

3049. [bug] Save and restore the gid when creating creating
named.pid at startup. [RT #23290]

3048. [bug] Fully separate view key mangement. [RT #23419]

3047. [bug] DNSKEY NODATA responses not cached fixed in
validator.c. Tests added to dnssec system test.
[RT #22908]

3046. [bug] Use RRSIG original TTL to compute validated RRset
and RRSIG TTL. [RT #23332]

3045. [removed] Replaced by change #3050.

3044. [bug] Hold the socket manager lock while freeing the socket.
[RT #23333]

3043. [test] Merged in the NetBSD ATF test framework (currently
version 0.12) for development of future unit tests.
Use configure --with-atf to build ATF internally
or configure --with-atf=prefix to use an external
copy. [RT #23209]

3042. [bug] dig +trace could fail attempting to use IPv6
addresses on systems with only IPv4 connectivity.
[RT #23297]

3041. [bug] dnssec-signzone failed to generate new signatures on
ttl changes. [RT #23330]

3040. [bug] Named failed to validate insecure zones where a node
with a CNAME existed between the trust anchor and the
top of the zone. [RT #23338]

3039. [func] Redirect on NXDOMAIN support. [RT #23146]

3038. [bug] Install <dns/rpz.h>. [RT #23342]

3037. [doc] Update COPYRIGHT to contain all the individual
copyright notices that cover various parts.

3036. [bug] Check built-in zone arguments to see if the zone
is re-usable or not. [RT #21914]

3035. [cleanup] Simplify by using strlcpy. [RT #22521]

3034. [cleanup] nslookup: use strlcpy instead of safecopy. [RT #22521]

3033. [cleanup] Add two INSIST(bucket != DNS_ADB_INVALIDBUCKET).
[RT #22521]

3032. [bug] rdatalist.c: add missing REQUIREs. [RT #22521]

3031. [bug] dns_rdataclass_format() handle a zero sized buffer.
[RT #22521]

3030. [bug] dns_rdatatype_format() handle a zero sized buffer.
[RT #22521]

3029. [bug] isc_netaddr_format() handle a zero sized buffer.
[RT #22521]

3028. [bug] isc_sockaddr_format() handle a zero sized buffer.
[RT #22521]

3027. [bug] Add documented REQUIREs to cfg_obj_asnetprefix() to
catch NULL pointer dereferences before they happen.
[RT #22521]

3026. [bug] lib/isc/httpd.c: check that we have enough space
after calling grow_headerspace() and if not
re-call grow_headerspace() until we do. [RT #22521]

3025. [bug] Fixed a possible deadlock due to zone resigning.
[RT #22964]

3024. [func] RTT Banding removed due to minor security increase
but major impact on resolver latency. [RT #23310]

3023. [bug] Named could be left in an inconsistent state when
receiving multiple AXFR response messages that were
not all TSIG-signed. [RT #23254]

3022. [bug] Fixed rpz SERVFAILs after failed zone transfers
[RT #23246]

3021. [bug] Change #3010 was incomplete. [RT #22296]

3020. [bug] auto-dnssec failed to correctly update the zone when
changing the DNSKEY RRset. [RT #23232]

3019. [test] Test: check apex NSEC3 records after adding DNSKEY
record via UPDATE. [RT #23229]

3018. [bug] Named failed to check for the "none;" acl when deciding
if a zone may need to be re-signed. [RT #23120]

3017. [doc] dnssec-keyfromlabel -I was not properly documented.
[RT #22887]

3016. [bug] rndc usage missing '-b'. [RT #22937]

3015. [port] win32: fix IN6_IS_ADDR_LINKLOCAL and
IN6_IS_ADDR_SITELOCAL macros. [RT #22724]

3014. [placeholder]

3013. [bug] The DNS64 ttl was not always being set as expected.
[RT #23034]

3012. [bug] Remove DNSKEY TTL change pairs before generating
signing records for any remaining DNSKEY changes.
[RT #22590]

3011. [func] Change the default query timeout from 30 seconds
to 10. Allow setting this in named.conf using the new
'resolver-query-timeout' option, which specifies a max
time in seconds. 0 means 'default' and anything longer
than 30 will be silently set to 30. [RT #22852]

3010. [bug] Fixed a bug where "rndc reconfig" stopped the timer
for refreshing managed-keys. [RT #22296]

3009. [bug] clients-per-query code didn't work as expected with
particular query patterns. [RT #22972]

----
こがよういちろう


投稿者 xml-rpc : 2011年9月 2日 17:22
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/105995
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。