1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12Notes for BIND 9.18.0 13--------------------- 14 15.. note:: This section only lists changes since BIND 9.16.25, the most 16 recent release on the previous stable branch of BIND before 17 the publication of BIND 9.18.0. 18 19Known Issues 20~~~~~~~~~~~~ 21 22- ``rndc`` has been updated to use the new BIND network manager API. As 23 the network manager currently has no support for UNIX-domain sockets, 24 those cannot now be used with ``rndc``. This will be addressed in a 25 future release, either by restoring UNIX-domain socket support or by 26 formally declaring them to be obsolete in the control channel. 27 :gl:`#1759` 28 29- See :ref:`above <relnotes_known_issues>` for a list of all known 30 issues affecting this BIND 9 branch. 31 32New Features 33~~~~~~~~~~~~ 34 35- ``named`` now supports securing DNS traffic using Transport Layer 36 Security (TLS). TLS is used by both DNS over TLS (DoT) and 37 DNS over HTTPS (DoH). 38 39 ``named`` can use either a certificate provided by the user or an 40 ephemeral certificate generated automatically upon startup. The 41 :any:`tls` block allows fine-grained control over TLS 42 parameters. :gl:`#1840` :gl:`#2795` :gl:`#2796` 43 44 For debugging purposes, ``named`` logs TLS pre-master secrets when the 45 ``SSLKEYLOGFILE`` environment variable is set. This enables 46 troubleshooting of issues with encrypted traffic. :gl:`#2723` 47 48- Support for DNS over TLS (DoT) has been added to ``named``. Network 49 interfaces for DoT are configured using the existing 50 :ref:`listen-on <interfaces>` directive, while TLS parameters are 51 configured using the new :any:`tls` block. :gl:`#1840` 52 53 ``named`` supports :rfc:`zone transfers over TLS <9103>` 54 (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers. 55 56 Incoming zone transfers over TLS are enabled by adding the :any:`tls` 57 keyword, followed by either the name of a previously configured 58 :any:`tls` block or the string ``ephemeral``, to the 59 addresses included in :any:`primaries` lists. 60 :gl:`#2392` 61 62 Similarly, the :any:`allow-transfer` option 63 was extended to accept additional ``port`` and ``transport`` 64 parameters, to further restrict outgoing zone transfers to a 65 particular port and/or DNS transport protocol. :gl:`#2776` 66 67 Note that zone transfers over TLS (XoT) require the ``dot`` 68 Application-Layer Protocol Negotiation (ALPN) token to be selected in 69 the TLS handshake, as required by :rfc:`9103` section 7.1. This might 70 cause issues with non-compliant XoT servers. :gl:`#2794` 71 72 The ``dig`` tool is now able to send DoT queries (``+tls`` option). 73 :gl:`#1840` 74 75 There is currently no support for forwarding DNS queries via DoT. 76 77- Support for DNS over HTTPS (DoH) has been added to ``named``. Both 78 TLS-encrypted and unencrypted connections are supported (the latter 79 may be used to offload encryption to other software). Network 80 interfaces for DoH are configured using the existing 81 :ref:`listen-on <interfaces>` directive, while TLS parameters are 82 configured using the new :any:`tls` block and HTTP 83 parameters are configured using the new :any:`http` block. 84 :gl:`#1144` :gl:`#2472` 85 86 Server-side quotas on both the number of concurrent DoH connections 87 and the number of active HTTP/2 streams per connection can be 88 configured using the global :any:`http-listener-clients` and 89 :any:`http-streams-per-connection` options, or the :any:`listener-clients` 90 and :any:`streams-per-connection` parameters in an 91 :any:`http block <http>`. :gl:`#2809` 92 93 The ``dig`` tool is now able to send DoH queries (``+https`` option). 94 :gl:`#1641` 95 96 There is currently no support for forwarding DNS queries via DoH. 97 98 DoH support can be disabled at compile time using a new build-time 99 option, ``--disable-doh``. This allows BIND 9 to be built without the 100 `libnghttp2`_ library. :gl:`#2478` 101 102- A new logging category, ``rpz-passthru``, was added, which allows RPZ 103 passthru actions to be logged into a separate channel. :gl:`#54` 104 105- A new option, ``nsdname-wait-recurse``, has been added to the 106 :any:`response-policy` clause in the configuration file. When set to 107 ``no``, RPZ NSDNAME rules are only applied if the authoritative 108 nameservers for the query name have been looked up and are present in 109 the cache. If this information is not present, the RPZ NSDNAME rules 110 are ignored, but the information is looked up in the background and 111 applied to subsequent queries. The default is ``yes``, meaning that 112 RPZ NSDNAME rules should always be applied, even if the information 113 needs to be looked up first. :gl:`#1138` 114 115- Support for HTTPS and SVCB record types now also includes ADDITIONAL 116 section processing for these record types. :gl:`#1132` 117 118- New configuration options, :any:`tcp-receive-buffer`, 119 :any:`tcp-send-buffer`, :any:`udp-receive-buffer`, and :any:`udp-send-buffer`, 120 have been added. These options allow the operator to fine-tune the 121 receiving and sending buffers in the operating system. On busy 122 servers, increasing the size of the receive buffers can prevent the 123 server from dropping packets during short traffic spikes, and 124 decreasing it can prevent the server from becoming clogged with 125 queries that are too old and have already timed out. :gl:`#2313` 126 127- New finer-grained :any:`update-policy` rule types, 128 ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. 129 These rule types restrict updates to SRV and PTR records so that their 130 content can only match the machine name embedded in the Kerberos 131 principal making the change. :gl:`#481` 132 133- Per-type record count limits can now be specified in :any:`update-policy` 134 statements, to limit the number of records of a particular type that 135 can be added to a domain name via dynamic update. :gl:`#1657` 136 137- Support for OpenSSL 3.0 APIs was added. :gl:`#2843` :gl:`#3057` 138 139- Extended DNS Error Code 18 - Prohibited (see :rfc:`8914` section 140 4.19) is now set if query access is denied to the specific client. 141 :gl:`#1836` 142 143- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385` 144 145- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``). 146 This is useful when the host on which ``dig`` is run is behind an 147 IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a 148 Service). :gl:`#1154` 149 150- ``dig`` output now includes the transport protocol used (UDP, TCP, 151 TLS, HTTPS). :gl:`#1144` :gl:`#1816` 152 153- ``dig +qid=<num>`` allows the user to specify a particular query ID 154 for testing purposes. :gl:`#1851` 155 156.. _libnghttp2: https://nghttp2.org/ 157 158Removed Features 159~~~~~~~~~~~~~~~~ 160 161- Support for the ``map`` zone file format (``masterfile-format map;``) 162 has been removed. Users relying on the ``map`` format are advised to 163 convert their zones to the ``raw`` format with ``named-compilezone`` 164 and change the configuration appropriately prior to upgrading BIND 9. 165 :gl:`#2882` 166 167- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be 168 enabled in ``named`` at build time have been removed. New-style DLZ 169 modules should be used as a replacement. :gl:`#2814` 170 171- Support for compiling and running BIND 9 natively on Windows has been 172 completely removed. The last stable release branch that has working 173 Windows support is BIND 9.16. :gl:`#2690` 174 175- Native PKCS#11 support has been removed. :gl:`#2691` 176 177 When built against OpenSSL 1.x, BIND 9 now 178 :ref:`uses engine_pkcs11 for PKCS#11 <pkcs11>`. engine_pkcs11 is an 179 OpenSSL engine which is part of the `OpenSC`_ project. 180 181 As support for so-called "engines" was deprecated in OpenSSL 3.x, 182 compiling BIND 9 against an OpenSSL 3.x build which does not retain 183 support for deprecated APIs makes it impossible to use PKCS#11 in BIND 184 9. A replacement for engine_pkcs11 which employs the new "provider" 185 approach introduced in OpenSSL 3.x is in the making. :gl:`#2843` 186 187- The utilities ``dnssec-checkds``, ``dnssec-coverage``, and 188 ``dnssec-keymgr`` have been removed from the BIND distribution, as well 189 as the ``isc`` Python package. DNSSEC features formerly provided 190 by these utilities are now integrated into ``named``. 191 See the :any:`dnssec-policy` configuration option 192 for more details. 193 194 An archival version of the Python utilities has been moved to 195 the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/. 196 Please note these tools are no longer supported by ISC. 197 198- Since the old socket manager API has been removed, "socketmgr" 199 statistics are no longer reported by the 200 :any:`statistics-channels`. :gl:`#2926` 201 202- The :any:`glue-cache` *option* has been marked as deprecated. The glue 203 cache *feature* still works and will be permanently *enabled* in a 204 future release. :gl:`#2146` 205 206- A number of non-working configuration options that had been marked as 207 obsolete in previous releases have now been removed completely. Using 208 any of the following options is now considered a configuration 209 failure: ``acache-cleaning-interval``, ``acache-enable``, 210 ``additional-from-auth``, ``additional-from-cache``, 211 ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``, 212 ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``, 213 ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``, 214 ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``, 215 ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``, 216 ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086` 217 218- The ``dig`` option ``+unexpected`` has been removed. :gl:`#2140` 219 220- IPv6 sockets are now explicitly restricted to sending and receiving 221 IPv6 packets only. As this breaks the ``+mapped`` option for ``dig``, 222 the option has been removed. :gl:`#3093` 223 224- Disable and disallow static linking of BIND 9 binaries and libraries 225 as BIND 9 modules require ``dlopen()`` support and static linking also 226 prevents using security features like read-only relocations (RELRO) or 227 address space layout randomization (ASLR) which are important for 228 programs that interact with the network and process arbitrary user 229 input. :gl:`#1933` 230 231- The ``--with-gperftools-profiler`` ``configure`` option was removed. 232 To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro 233 now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to 234 be present in ``LDFLAGS``. :gl:`!4045` 235 236.. _OpenSC: https://github.com/OpenSC/libp11 237 238Feature Changes 239~~~~~~~~~~~~~~~ 240 241- Aggressive Use of DNSSEC-Validated Cache (:any:`synth-from-dnssec`, see 242 :rfc:`8198`) is now enabled by default again, after having been 243 disabled in BIND 9.14.8. The implementation of this feature was 244 reworked to achieve better efficiency and tuned to ignore certain 245 types of broken NSEC records. Negative answer synthesis is currently 246 only supported for zones using NSEC. :gl:`#1265` 247 248- The default NSEC3 parameters for :any:`dnssec-policy` were updated to no 249 extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). This 250 change is in line with the `latest NSEC3 recommendations`_. 251 :gl:`#2956` 252 253- The default for :any:`dnssec-dnskey-kskonly` was changed to ``yes``. This 254 means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with 255 the KSK by default. The additional signatures prepared using the ZSK 256 when the option is set to ``no`` add to the DNS response payload 257 without offering added value. :gl:`#1316` 258 259- ``dnssec-cds`` now only generates SHA-2 DS records by default and 260 avoids copying deprecated SHA-1 records from a child zone to its 261 delegation in the parent. If the child zone does not publish SHA-2 CDS 262 records, ``dnssec-cds`` will generate them from the CDNSKEY records. 263 The ``-a algorithm`` option now affects the process of generating DS 264 digest records from both CDS and CDNSKEY records. Thanks to Tony 265 Finch. :gl:`#2871` 266 267- Previously, ``named`` accepted FORMERR responses both with and without 268 an OPT record, as an indication that a given server did not support 269 EDNS. To implement full compliance with :rfc:`6891`, only FORMERR 270 responses without an OPT record are now accepted. This intentionally 271 breaks communication with servers that do not support EDNS and that 272 incorrectly echo back the query message with the RCODE field set to 273 FORMERR and the QR bit set to 1. :gl:`#2249` 274 275- The question section is now checked when processing AXFR, IXFR, and 276 SOA replies while transferring a zone in. :gl:`#1683` 277 278- DNS Flag Day 2020: the EDNS buffer size probing code, which made the 279 resolver adjust the EDNS buffer size used for outgoing queries based 280 on the successful query responses and timeouts observed, was removed. 281 The resolver now always uses the EDNS buffer size set in 282 :any:`edns-udp-size` for all outgoing queries. :gl:`#2183` 283 284- Keeping stale answers in cache (:any:`stale-cache-enable`) has been 285 disabled by default. :gl:`#1712` 286 287- Overall memory use by ``named`` has been optimized and significantly 288 reduced, especially for resolver workloads. :gl:`#2398` :gl:`#3048` 289 290- Memory allocation is now based on the memory allocation API provided 291 by the `jemalloc`_ library, on platforms where it is available. Use of 292 this library is now recommended when building BIND 9; although it is 293 optional, it is enabled by default. :gl:`#2433` 294 295- Internal data structures maintained for each cache database are now 296 grown incrementally when they need to be expanded. This helps maintain 297 a steady response rate on a loaded resolver while these internal data 298 structures are resized. :gl:`#2941` 299 300- The interface handling code has been refactored to use fewer 301 resources, which should lead to less memory fragmentation and better 302 startup performance. :gl:`#2433` 303 304- When reporting zone types in the statistics channel, the terms 305 :any:`primary <type primary>` and :any:`secondary <type secondary>` are now used instead of ``master`` and 306 ``slave``, respectively. :gl:`#1944` 307 308- The ``rndc nta -dump`` and ``rndc secroots`` commands now both include 309 :any:`validate-except` entries when listing negative trust anchors. These 310 are indicated by the keyword ``permanent`` in place of the expiry 311 date. :gl:`#1532` 312 313- The output of ``rndc serve-stale status`` has been clarified. It now 314 explicitly reports whether retention of stale data in the cache is 315 enabled (:any:`stale-cache-enable`), and whether returning such data in 316 responses is enabled (:any:`stale-answer-enable`). :gl:`#2742` 317 318- Previously, using ``dig +bufsize=0`` had the side effect of disabling 319 EDNS, and there was no way to test the remote server's behavior when 320 it had received a packet with EDNS0 buffer size set to 0. This is no 321 longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS 322 version 0 and buffer size set to 0. To disable EDNS, use ``dig 323 +noedns``. :gl:`#2054` 324 325- BIND 9 binaries which are neither daemons nor administrative programs 326 were moved to ``$bindir``. Only ``ddns-confgen``, ``named``, ``rndc``, 327 ``rndc-confgen``, and ``tsig-confgen`` were left in ``$sbindir``. 328 :gl:`#1724` 329 330- The BIND 9 build system has been changed to use a typical 331 autoconf+automake+libtool stack. This should not make any difference 332 for people building BIND 9 from release tarballs, but when building 333 BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run 334 first. Extra attention is also needed when using non-standard 335 ``configure`` options. :gl:`#4` 336 337.. _latest NSEC3 recommendations: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02 338 339.. _jemalloc: http://jemalloc.net/ 340 341Bug Fixes 342~~~~~~~~~ 343 344- Log files using ``timestamp``-style suffixes were not always correctly 345 removed when the number of files exceeded the limit set by 346 ``versions``. This has been fixed. :gl:`#828` 347