File: //proc/self/root/usr/share/doc/bind9-doc/arm/notes.html
<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="./">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Release Notes — BIND 9 9.18.39-0ubuntu0.24.04.2-Ubuntu documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css?v=80d5e7a1" />
<link rel="stylesheet" type="text/css" href="_static/css/theme.css?v=86f27845" />
<link rel="stylesheet" type="text/css" href="_static/custom.css?v=9ab34431" />
<script src="_static/jquery.js?v=8dae8fb0"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="_static/documentation_options.js?v=9d4ae9d2"></script>
<script src="_static/doctools.js?v=888ff710"></script>
<script src="_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Changelog" href="changelog.html" />
<link rel="prev" title="10. Building BIND 9" href="chapter10.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
BIND 9
</a>
<div class="version">
9.18.39-0ubuntu0.24.04.2-Ubuntu
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul>
<li class="toctree-l1"><a class="reference internal" href="chapter1.html">1. Introduction to DNS and BIND 9</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter2.html">2. Resource Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter3.html">3. Configurations and Zone Files</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter4.html">4. Name Server Operations</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter5.html">5. DNSSEC</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter6.html">6. Advanced Configurations</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter7.html">7. Security Configurations</a></li>
<li class="toctree-l1"><a class="reference internal" href="reference.html">8. Configuration Reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter9.html">9. Troubleshooting</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter10.html">10. Building BIND 9</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Appendices</span></p>
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">Release Notes</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#introduction">Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="#supported-platforms">Supported Platforms</a></li>
<li class="toctree-l2"><a class="reference internal" href="#download">Download</a></li>
<li class="toctree-l2"><a class="reference internal" href="#known-issues">Known Issues</a></li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-39">Notes for BIND 9.18.39</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#new-features">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#feature-changes">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#bug-fixes">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-38">Notes for BIND 9.18.38</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#security-fixes">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id1">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id2">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-37">Notes for BIND 9.18.37</a></li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-36">Notes for BIND 9.18.36</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id3">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id4">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-35">Notes for BIND 9.18.35</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id5">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-34">Notes for BIND 9.18.34</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id6">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#removed-features">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id7">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-33">Notes for BIND 9.18.33</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id8">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id9">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id10">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-32">Notes for BIND 9.18.32</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id11">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id12">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id13">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id14">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-31">Notes for BIND 9.18.31</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id15">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id16">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id17">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id18">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-30">Notes for BIND 9.18.30</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id19">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id20">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id21">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id22">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-29">Notes for BIND 9.18.29</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id23">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id24">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id25">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-28">Notes for BIND 9.18.28</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id26">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id27">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id28">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-27">Notes for BIND 9.18.27</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id29">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id30">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id31">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-26">Notes for BIND 9.18.26</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id32">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id33">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id34">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-25">Notes for BIND 9.18.25</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id35">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id36">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-24">Notes for BIND 9.18.24</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id37">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id38">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id39">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-23">Notes for BIND 9.18.23</a></li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-22">Notes for BIND 9.18.22</a></li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-21">Notes for BIND 9.18.21</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id40">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id41">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-20">Notes for BIND 9.18.20</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id42">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id43">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id44">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-19">Notes for BIND 9.18.19</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id45">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id46">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id47">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id48">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id49">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-18">Notes for BIND 9.18.18</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id50">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id51">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id52">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-17">Notes for BIND 9.18.17</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id53">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id54">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id55">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-16">Notes for BIND 9.18.16</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id56">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id57">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id58">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id59">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id60">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-15">Notes for BIND 9.18.15</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id61">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id62">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-14">Notes for BIND 9.18.14</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id63">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id64">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id65">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-13">Notes for BIND 9.18.13</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id66">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id67">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id68">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id69">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-12">Notes for BIND 9.18.12</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id70">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id71">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id72">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-11">Notes for BIND 9.18.11</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id73">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id74">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id75">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id76">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id77">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id78">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-10">Notes for BIND 9.18.10</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id79">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id80">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id81">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-9">Notes for BIND 9.18.9</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id82">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id83">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-8">Notes for BIND 9.18.8</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id84">Known Issues</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id85">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id86">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id87">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-7">Notes for BIND 9.18.7</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id88">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id89">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id90">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id91">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-6">Notes for BIND 9.18.6</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id92">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id93">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id94">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-5">Notes for BIND 9.18.5</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id95">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id96">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id97">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-4">Notes for BIND 9.18.4</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id98">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id99">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id100">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-3">Notes for BIND 9.18.3</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id101">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id102">Known Issues</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id103">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id104">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-2">Notes for BIND 9.18.2</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id105">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id106">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id107">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-1">Notes for BIND 9.18.1</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id108">Security Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id109">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id110">Bug Fixes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id111">Known Issues</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#notes-for-bind-9-18-0">Notes for BIND 9.18.0</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id112">Known Issues</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id113">New Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id114">Removed Features</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id115">Feature Changes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id116">Bug Fixes</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#license">License</a></li>
<li class="toctree-l2"><a class="reference internal" href="#end-of-life">End of Life</a></li>
<li class="toctree-l2"><a class="reference internal" href="#thank-you">Thank You</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="changelog.html">Changelog</a></li>
<li class="toctree-l1"><a class="reference internal" href="dnssec-guide.html">DNSSEC Guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="history.html">A Brief History of the DNS and BIND</a></li>
<li class="toctree-l1"><a class="reference internal" href="general.html">General DNS Reference Information</a></li>
<li class="toctree-l1"><a class="reference internal" href="manpages.html">Manual Pages</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">BIND 9</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">Release Notes</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/notes.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="release-notes">
<span id="relnotes"></span><h1><a class="toc-backref" href="#id117" role="doc-backlink">Release Notes</a><a class="headerlink" href="#release-notes" title="Link to this heading"></a></h1>
<nav class="contents" id="contents">
<p class="topic-title">Contents</p>
<ul class="simple">
<li><p><a class="reference internal" href="#release-notes" id="id117">Release Notes</a></p>
<ul>
<li><p><a class="reference internal" href="#introduction" id="id118">Introduction</a></p></li>
<li><p><a class="reference internal" href="#supported-platforms" id="id119">Supported Platforms</a></p></li>
<li><p><a class="reference internal" href="#download" id="id120">Download</a></p></li>
<li><p><a class="reference internal" href="#known-issues" id="id121">Known Issues</a></p></li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-39" id="id122">Notes for BIND 9.18.39</a></p>
<ul>
<li><p><a class="reference internal" href="#new-features" id="id123">New Features</a></p></li>
<li><p><a class="reference internal" href="#feature-changes" id="id124">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#bug-fixes" id="id125">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-38" id="id126">Notes for BIND 9.18.38</a></p>
<ul>
<li><p><a class="reference internal" href="#security-fixes" id="id127">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id1" id="id128">New Features</a></p></li>
<li><p><a class="reference internal" href="#id2" id="id129">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-37" id="id130">Notes for BIND 9.18.37</a></p></li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-36" id="id131">Notes for BIND 9.18.36</a></p>
<ul>
<li><p><a class="reference internal" href="#id3" id="id132">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id4" id="id133">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-35" id="id134">Notes for BIND 9.18.35</a></p>
<ul>
<li><p><a class="reference internal" href="#id5" id="id135">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-34" id="id136">Notes for BIND 9.18.34</a></p>
<ul>
<li><p><a class="reference internal" href="#id6" id="id137">New Features</a></p></li>
<li><p><a class="reference internal" href="#removed-features" id="id138">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id7" id="id139">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-33" id="id140">Notes for BIND 9.18.33</a></p>
<ul>
<li><p><a class="reference internal" href="#id8" id="id141">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id9" id="id142">New Features</a></p></li>
<li><p><a class="reference internal" href="#id10" id="id143">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-32" id="id144">Notes for BIND 9.18.32</a></p>
<ul>
<li><p><a class="reference internal" href="#id11" id="id145">New Features</a></p></li>
<li><p><a class="reference internal" href="#id12" id="id146">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id13" id="id147">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id14" id="id148">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-31" id="id149">Notes for BIND 9.18.31</a></p>
<ul>
<li><p><a class="reference internal" href="#id15" id="id150">New Features</a></p></li>
<li><p><a class="reference internal" href="#id16" id="id151">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id17" id="id152">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id18" id="id153">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-30" id="id154">Notes for BIND 9.18.30</a></p>
<ul>
<li><p><a class="reference internal" href="#id19" id="id155">New Features</a></p></li>
<li><p><a class="reference internal" href="#id20" id="id156">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id21" id="id157">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id22" id="id158">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-29" id="id159">Notes for BIND 9.18.29</a></p>
<ul>
<li><p><a class="reference internal" href="#id23" id="id160">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id24" id="id161">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id25" id="id162">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-28" id="id163">Notes for BIND 9.18.28</a></p>
<ul>
<li><p><a class="reference internal" href="#id26" id="id164">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id27" id="id165">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id28" id="id166">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-27" id="id167">Notes for BIND 9.18.27</a></p>
<ul>
<li><p><a class="reference internal" href="#id29" id="id168">New Features</a></p></li>
<li><p><a class="reference internal" href="#id30" id="id169">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id31" id="id170">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-26" id="id171">Notes for BIND 9.18.26</a></p>
<ul>
<li><p><a class="reference internal" href="#id32" id="id172">New Features</a></p></li>
<li><p><a class="reference internal" href="#id33" id="id173">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id34" id="id174">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-25" id="id175">Notes for BIND 9.18.25</a></p>
<ul>
<li><p><a class="reference internal" href="#id35" id="id176">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id36" id="id177">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-24" id="id178">Notes for BIND 9.18.24</a></p>
<ul>
<li><p><a class="reference internal" href="#id37" id="id179">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id38" id="id180">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id39" id="id181">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-23" id="id182">Notes for BIND 9.18.23</a></p></li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-22" id="id183">Notes for BIND 9.18.22</a></p></li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-21" id="id184">Notes for BIND 9.18.21</a></p>
<ul>
<li><p><a class="reference internal" href="#id40" id="id185">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id41" id="id186">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-20" id="id187">Notes for BIND 9.18.20</a></p>
<ul>
<li><p><a class="reference internal" href="#id42" id="id188">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id43" id="id189">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id44" id="id190">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-19" id="id191">Notes for BIND 9.18.19</a></p>
<ul>
<li><p><a class="reference internal" href="#id45" id="id192">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id46" id="id193">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id47" id="id194">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id48" id="id195">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id49" id="id196">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-18" id="id197">Notes for BIND 9.18.18</a></p>
<ul>
<li><p><a class="reference internal" href="#id50" id="id198">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id51" id="id199">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id52" id="id200">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-17" id="id201">Notes for BIND 9.18.17</a></p>
<ul>
<li><p><a class="reference internal" href="#id53" id="id202">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id54" id="id203">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id55" id="id204">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-16" id="id205">Notes for BIND 9.18.16</a></p>
<ul>
<li><p><a class="reference internal" href="#id56" id="id206">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id57" id="id207">New Features</a></p></li>
<li><p><a class="reference internal" href="#id58" id="id208">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id59" id="id209">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id60" id="id210">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-15" id="id211">Notes for BIND 9.18.15</a></p>
<ul>
<li><p><a class="reference internal" href="#id61" id="id212">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id62" id="id213">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-14" id="id214">Notes for BIND 9.18.14</a></p>
<ul>
<li><p><a class="reference internal" href="#id63" id="id215">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id64" id="id216">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id65" id="id217">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-13" id="id218">Notes for BIND 9.18.13</a></p>
<ul>
<li><p><a class="reference internal" href="#id66" id="id219">New Features</a></p></li>
<li><p><a class="reference internal" href="#id67" id="id220">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id68" id="id221">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id69" id="id222">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-12" id="id223">Notes for BIND 9.18.12</a></p>
<ul>
<li><p><a class="reference internal" href="#id70" id="id224">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id71" id="id225">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id72" id="id226">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-11" id="id227">Notes for BIND 9.18.11</a></p>
<ul>
<li><p><a class="reference internal" href="#id73" id="id228">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id74" id="id229">New Features</a></p></li>
<li><p><a class="reference internal" href="#id75" id="id230">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id76" id="id231">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id77" id="id232">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id78" id="id233">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-10" id="id234">Notes for BIND 9.18.10</a></p>
<ul>
<li><p><a class="reference internal" href="#id79" id="id235">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id80" id="id236">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id81" id="id237">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-9" id="id238">Notes for BIND 9.18.9</a></p>
<ul>
<li><p><a class="reference internal" href="#id82" id="id239">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id83" id="id240">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-8" id="id241">Notes for BIND 9.18.8</a></p>
<ul>
<li><p><a class="reference internal" href="#id84" id="id242">Known Issues</a></p></li>
<li><p><a class="reference internal" href="#id85" id="id243">New Features</a></p></li>
<li><p><a class="reference internal" href="#id86" id="id244">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id87" id="id245">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-7" id="id246">Notes for BIND 9.18.7</a></p>
<ul>
<li><p><a class="reference internal" href="#id88" id="id247">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id89" id="id248">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id90" id="id249">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id91" id="id250">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-6" id="id251">Notes for BIND 9.18.6</a></p>
<ul>
<li><p><a class="reference internal" href="#id92" id="id252">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id93" id="id253">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id94" id="id254">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-5" id="id255">Notes for BIND 9.18.5</a></p>
<ul>
<li><p><a class="reference internal" href="#id95" id="id256">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id96" id="id257">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id97" id="id258">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-4" id="id259">Notes for BIND 9.18.4</a></p>
<ul>
<li><p><a class="reference internal" href="#id98" id="id260">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id99" id="id261">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id100" id="id262">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-3" id="id263">Notes for BIND 9.18.3</a></p>
<ul>
<li><p><a class="reference internal" href="#id101" id="id264">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id102" id="id265">Known Issues</a></p></li>
<li><p><a class="reference internal" href="#id103" id="id266">New Features</a></p></li>
<li><p><a class="reference internal" href="#id104" id="id267">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-2" id="id268">Notes for BIND 9.18.2</a></p>
<ul>
<li><p><a class="reference internal" href="#id105" id="id269">New Features</a></p></li>
<li><p><a class="reference internal" href="#id106" id="id270">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id107" id="id271">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-1" id="id272">Notes for BIND 9.18.1</a></p>
<ul>
<li><p><a class="reference internal" href="#id108" id="id273">Security Fixes</a></p></li>
<li><p><a class="reference internal" href="#id109" id="id274">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id110" id="id275">Bug Fixes</a></p></li>
<li><p><a class="reference internal" href="#id111" id="id276">Known Issues</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#notes-for-bind-9-18-0" id="id277">Notes for BIND 9.18.0</a></p>
<ul>
<li><p><a class="reference internal" href="#id112" id="id278">Known Issues</a></p></li>
<li><p><a class="reference internal" href="#id113" id="id279">New Features</a></p></li>
<li><p><a class="reference internal" href="#id114" id="id280">Removed Features</a></p></li>
<li><p><a class="reference internal" href="#id115" id="id281">Feature Changes</a></p></li>
<li><p><a class="reference internal" href="#id116" id="id282">Bug Fixes</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#license" id="id283">License</a></p></li>
<li><p><a class="reference internal" href="#end-of-life" id="id284">End of Life</a></p></li>
<li><p><a class="reference internal" href="#thank-you" id="id285">Thank You</a></p></li>
</ul>
</li>
</ul>
</nav>
<section id="introduction">
<h2><a class="toc-backref" href="#id118" role="doc-backlink">Introduction</a><a class="headerlink" href="#introduction" title="Link to this heading"></a></h2>
<p>BIND 9.18 (Extended Support Version) is a stable branch of BIND. This
document summarizes significant changes since the last production
release on that branch. Please see the <a class="reference internal" href="changelog.html#changelog"><span class="std std-ref">Changelog</span></a> file for
a more detailed list of changes and bug fixes.</p>
</section>
<section id="supported-platforms">
<h2><a class="toc-backref" href="#id119" role="doc-backlink">Supported Platforms</a><a class="headerlink" href="#supported-platforms" title="Link to this heading"></a></h2>
<p>See the <a class="reference internal" href="chapter2.html#supported-os"><span class="std std-ref">Supported Platforms</span></a> section in the <a class="reference internal" href="chapter2.html#requirements"><span class="std std-ref">Resource Requirements</span></a> chapter.</p>
</section>
<section id="download">
<h2><a class="toc-backref" href="#id120" role="doc-backlink">Download</a><a class="headerlink" href="#download" title="Link to this heading"></a></h2>
<p>The latest versions of BIND 9 software can always be found at
<a class="reference external" href="https://www.isc.org/download/">https://www.isc.org/download/</a>. There you will find additional
information about each release, and source code.</p>
</section>
<section id="known-issues">
<span id="relnotes-known-issues"></span><h2><a class="toc-backref" href="#id121" role="doc-backlink">Known Issues</a><a class="headerlink" href="#known-issues" title="Link to this heading"></a></h2>
<p>The list of known issues affecting the latest version in the 9.18 branch can be
found at
<a class="reference external" href="https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18">https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18</a></p>
</section>
<section id="notes-for-bind-9-18-39">
<h2><a class="toc-backref" href="#id122" role="doc-backlink">Notes for BIND 9.18.39</a><a class="headerlink" href="#notes-for-bind-9-18-39" title="Link to this heading"></a></h2>
<section id="new-features">
<h3><a class="toc-backref" href="#id123" role="doc-backlink">New Features</a><a class="headerlink" href="#new-features" title="Link to this heading"></a></h3>
<ul>
<li><p>Support for parsing the DSYNC record has been added.</p>
<p>[GL #5440]</p>
</li>
</ul>
</section>
<section id="feature-changes">
<h3><a class="toc-backref" href="#id124" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#feature-changes" title="Link to this heading"></a></h3>
<ul>
<li><p>Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1, and DS digest
type 1.</p>
<p>RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
by the IETF and should no longer be used for DNSSEC. DS digest type 1
(SHA1) has also been deprecated in BIND 9. Validators are now expected to treat
these algorithms and digest as unknown, resulting in some zones being
treated as insecure when they were previously treated as secure.
Warnings have been added to <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> and tools when these algorithms and
this digest are being used for signing.</p>
<p>Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated to a
different DNSKEY algorithm.</p>
<p>Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed. [GL #5358]</p>
</li>
</ul>
</section>
<section id="bug-fixes">
<h3><a class="toc-backref" href="#id125" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#bug-fixes" title="Link to this heading"></a></h3>
<ul>
<li><p>Clean enough memory when adding new ADB names/entries under memory
pressure.</p>
<p>The ADB memory cleaning is opportunistic even when BIND is under memory
pressure (in the overmem condition). The opportunistic LRU
cleaning and overmem cleaning have been split, and the overmem cleaning always
cleans up double of the newly allocated adbname/adbentry to ensure we
never allocate more memory than the assigned limit. [GL !10637]</p>
</li>
<li><p>Rescan the interfaces again when reconfiguring the server.</p>
<p>Previously on FreeBSD, the server did not listen on the configured <code class="docutils literal notranslate"><span class="pre">localhost</span></code>
interfaces immediately, but only after the <code class="docutils literal notranslate"><span class="pre">interface-interval</span></code> period
had passed. After an earlier fix, the server would listen on the <code class="docutils literal notranslate"><span class="pre">localhost</span></code> after
60 minutes.</p>
<p>Now, the interfaces are rescanned immediately after configuring the
<code class="docutils literal notranslate"><span class="pre">interface-interval</span></code> value and begin listening on the <code class="docutils literal notranslate"><span class="pre">localhost</span></code>
interface immediately. [GL !10758]</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-38">
<h2><a class="toc-backref" href="#id126" role="doc-backlink">Notes for BIND 9.18.38</a><a class="headerlink" href="#notes-for-bind-9-18-38" title="Link to this heading"></a></h2>
<section id="security-fixes">
<h3><a class="toc-backref" href="#id127" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#security-fixes" title="Link to this heading"></a></h3>
<ul>
<li><p>Fix an issue when some specific queries could remain unanswered with
serve-stale enabled.</p>
<p>When <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> was running with stale answers enabled and with
the <a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> configuration option set to
<code class="docutils literal notranslate"><span class="pre">0</span></code>, in certain situations it was possible that some queries could
remain unanswered. This has been fixed. [GL #5383]</p>
</li>
</ul>
</section>
<section id="id1">
<h3><a class="toc-backref" href="#id128" role="doc-backlink">New Features</a><a class="headerlink" href="#id1" title="Link to this heading"></a></h3>
<ul>
<li><p>Add support for the CO flag to <a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a>.</p>
<p>Add support for Compact Denial of Existence to <a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a>. This
includes showing the CO (Compact Answers OK) flag when displaying
messages and adding an option to set the CO flag when making queries
(<a class="reference internal" href="manpages.html#cmdoption-dig-arg-coflag"><code class="xref std std-option docutils literal notranslate"><span class="pre">dig</span> <span class="pre">+coflag</span></code></a>). [GL #5319]</p>
</li>
</ul>
</section>
<section id="id2">
<h3><a class="toc-backref" href="#id129" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id2" title="Link to this heading"></a></h3>
<ul>
<li><p>Correct the default <a class="reference internal" href="reference.html#namedconf-statement-interface-interval" title="namedconf-statement-interface-interval"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">interface-interval</span></code></a> from 60s to 60m.</p>
<p>When the <a class="reference internal" href="reference.html#namedconf-statement-interface-interval" title="namedconf-statement-interface-interval"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">interface-interval</span></code></a> parser was changed from a
<code class="docutils literal notranslate"><span class="pre">uint32</span></code> parser to a duration parser, the default value stayed at
plain number <code class="docutils literal notranslate"><span class="pre">60</span></code> which now means 60 seconds instead of 60 minutes.
The documentation also incorrectly states that the value is in
minutes. That has been fixed. [GL #5246]</p>
</li>
<li><p>Fix a <a class="reference internal" href="reference.html#namedconf-statement-purge-keys" title="namedconf-statement-purge-keys"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">purge-keys</span></code></a> bug when using multiple views of a zone.</p>
<p>Previously, when a DNSSEC key was purged by one zone view, other zone
views would return an error about missing key files. This has been
fixed. [GL #5315]</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-37">
<h2><a class="toc-backref" href="#id130" role="doc-backlink">Notes for BIND 9.18.37</a><a class="headerlink" href="#notes-for-bind-9-18-37" title="Link to this heading"></a></h2>
</section>
<section id="notes-for-bind-9-18-36">
<h2><a class="toc-backref" href="#id131" role="doc-backlink">Notes for BIND 9.18.36</a><a class="headerlink" href="#notes-for-bind-9-18-36" title="Link to this heading"></a></h2>
<section id="id3">
<h3><a class="toc-backref" href="#id132" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id3" title="Link to this heading"></a></h3>
<ul>
<li><p>Make TLS data processing more reliable in various network conditions.</p>
<p>BIND now deciphers incoming TLS data before processing it, making it
more similar to the handling of TCP. This results in a more
predictable behavior, particularly when reading from the stream is
paused or resumed. Previously, this could result in an assertion
failure when using XFR over TLS (XoT). This has been fixed.
[GL #5247]</p>
</li>
</ul>
</section>
<section id="id4">
<h3><a class="toc-backref" href="#id133" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id4" title="Link to this heading"></a></h3>
<ul>
<li><p>Stop caching lack of EDNS support.</p>
<p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could falsely learn that a server did not support EDNS
when a spoofed response was received; that subsequently prevented
DNSSEC lookups from being made. This has been fixed. [GL #3949]
[GL #5066]</p>
</li>
<li><p>Fix resolver statistics counters for timed-out responses.</p>
<p>When query responses timed out, the resolver could incorrectly
increase the regular response counters, even if no response was
received. This has been fixed. [GL #5193]</p>
</li>
<li><p>Don’t enforce NOAUTH/NOCONF flags in DNSKEYs.</p>
<p>All DNSKEY keys are able to authenticate. The <code class="docutils literal notranslate"><span class="pre">DNS_KEYTYPE_NOAUTH</span></code>
(and <code class="docutils literal notranslate"><span class="pre">DNS_KEYTYPE_NOCONF</span></code>) flags were defined for the KEY rdata
type, and are not applicable to DNSKEY. Previously, however, because
the DNSKEY implementation was built on top of KEY, the <code class="docutils literal notranslate"><span class="pre">_NOAUTH</span></code>
flag prevented authentication in DNSKEYs as well. This has been
corrected. [GL #5240]</p>
</li>
<li><p>Fix inconsistency in CNAME/DNAME handling during resolution.</p>
<p>Previously, in some cases, the resolver could return rdatasets of type
CNAME or DNAME without the result code being set to <code class="docutils literal notranslate"><span class="pre">DNS_R_CNAME</span></code> or
<code class="docutils literal notranslate"><span class="pre">DNS_R_DNAME</span></code>. This could trigger an assertion failure. This has
been fixed. [GL #5201]</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-35">
<h2><a class="toc-backref" href="#id134" role="doc-backlink">Notes for BIND 9.18.35</a><a class="headerlink" href="#notes-for-bind-9-18-35" title="Link to this heading"></a></h2>
<section id="id5">
<h3><a class="toc-backref" href="#id135" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id5" title="Link to this heading"></a></h3>
<ul>
<li><p>Fix deferred validation of unsigned DS and DNSKEY records.</p>
<p>When processing a query with the “checking disabled” bit set (CD=1),
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> stores the invalidated result in the cache, marked “pending”.
When the same query is sent with CD=0, the cached data is validated
and either accepted as an answer, or ejected from the cache as
invalid. This deferred validation was not attempted for DS and DNSKEY
records if they had no cached signatures, causing spurious validation
failures. The deferred validation is now completed in this scenario.</p>
<p>Also, if deferred validation fails, the data is now re-queried to find
out whether the zone has been corrected since the invalid data was
cached. [GL #5066]</p>
</li>
<li><p>Fix RPZ race condition during a reconfiguration.</p>
<p>With RPZ in use, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could terminate unexpectedly because of a
race condition when a reconfiguration command was received using
<a class="reference internal" href="manpages.html#std-iscman-rndc"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">rndc</span></code></a>. This has been fixed. [GL #5146]</p>
</li>
<li><p>“CNAME and other data check” not applied to all types.</p>
<p>An incorrect optimization caused “CNAME and other data” errors not to
be detected if certain types were at the same node as a CNAME. This
has been fixed. [GL #5150]</p>
</li>
<li><p>Remove NSEC/DS/NSEC3 RRSIG check from <code class="docutils literal notranslate"><span class="pre">dns_message_parse()</span></code>.</p>
<p>Previously, when parsing responses, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> incorrectly rejected
responses without matching RRSIG records for NSEC/DS/NSEC3 records in
the authority section. This rejection, if appropriate, should have
been left for the validator to determine and has been fixed.
[GL #5185]</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-34">
<h2><a class="toc-backref" href="#id136" role="doc-backlink">Notes for BIND 9.18.34</a><a class="headerlink" href="#notes-for-bind-9-18-34" title="Link to this heading"></a></h2>
<section id="id6">
<h3><a class="toc-backref" href="#id137" role="doc-backlink">New Features</a><a class="headerlink" href="#id6" title="Link to this heading"></a></h3>
<ul>
<li><p>Print the expiration time of the stale records.</p>
<p>Print the expiration time of the stale RRsets in the cache dump.</p>
</li>
</ul>
</section>
<section id="removed-features">
<h3><a class="toc-backref" href="#id138" role="doc-backlink">Removed Features</a><a class="headerlink" href="#removed-features" title="Link to this heading"></a></h3>
<ul>
<li><p>Remove <cite>–with-tuning=small/large</cite> configuration option.</p>
<p>The configuration option <cite>–with-tuning</cite> has been removed as it is no
longer required or desired.</p>
</li>
</ul>
</section>
<section id="id7">
<h3><a class="toc-backref" href="#id139" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id7" title="Link to this heading"></a></h3>
<ul>
<li><p>Fix <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-flushname"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">flushname</span></code></a> for longer name server names.</p>
<p><a class="reference internal" href="manpages.html#cmdoption-rndc-arg-flushname"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">flushname</span></code></a> did not work for name server names longer
than 16 bytes. This has been fixed. [GL #3885]</p>
</li>
<li><p>Recently expired records could be returned with a timestamp in future.</p>
<p>Under rare circumstances, an RRSet that expired at the time of the
query could be returned with a TTL in the future. This has been fixed.</p>
<p>As a side effect, the expiration time of expired RRSets is no longer
returned in a cache dump. [GL #5094]</p>
</li>
<li><p>YAML string not terminated in negative response in delv.</p>
<p>[GL #5098]</p>
</li>
<li><p>Apply the memory limit only to ADB database items.</p>
<p>Under heavy load, a resolver could exhaust the memory available for
storing the information in the Address Database (ADB), effectively
discarding previously stored information in the ADB. The memory used to
retrieve and provide information from the ADB is no longer subject to
the same memory limits that are applied to</p>
<p>the Address Database. [GL #5127]</p>
</li>
<li><p>Avoid unnecessary locking in the zone/cache database.</p>
<p>Lock contention among many worker threads referring to the
same database node at the same time is now prevented. This improves zone and
cache database performance for any heavily contended database nodes.
[GL #5130]</p>
</li>
<li><p>Improve the resolver performance under attack.</p>
<p>Previously, a remote client could force the DNS resolver component to consume
memory faster than resources were cleaned up for the canceled resolver
fetches, due to the <cite>recursive-clients</cite> limit. If such a traffic pattern
was sustained for a long period of time, the DNS server might
eventually run out of the available memory. This has been fixed.</p>
<p>It should be noted that, under such a heavy attack, no outgoing DNS queries will be successful in BIND 9
versions both with and without the fix, as the generated traffic pattern will consume all the
available slots for the recursive clients.</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-33">
<h2><a class="toc-backref" href="#id140" role="doc-backlink">Notes for BIND 9.18.33</a><a class="headerlink" href="#notes-for-bind-9-18-33" title="Link to this heading"></a></h2>
<section id="id8">
<h3><a class="toc-backref" href="#id141" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id8" title="Link to this heading"></a></h3>
<ul>
<li><p>DNS-over-HTTPS flooding fixes. <span class="target" id="index-0"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-12705"><strong>(CVE-2024-12705)</strong></a></p>
<p>Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> instances that
accept queries over DNS-over-HTTPS.</p>
<p>Previously, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> processed all incoming HTTP/2 data at
once, which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That has been
fixed. Now, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> handles HTTP/2 data in smaller chunks and
throttles reading until the remote side reads the response data. It
also throttles clients that send too many requests at once.</p>
<p>In addition, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now evaluates excessive streams opened by
clients that include no DNS data, which is considered “flooding.” It
logs these clients and drops connections from them. [GL #4795]</p>
<p>In some cases, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could leave DNS-over-HTTPS
connections in the <cite>CLOSE_WAIT</cite> state indefinitely. That has also been
fixed. [GL #5083]</p>
<p>ISC would like to thank Jean-François Billaud for his assistance with
investigating this issue.</p>
</li>
<li><p>Limit additional section processing for large RDATA sets.
<span class="target" id="index-1"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-11187"><strong>(CVE-2024-11187)</strong></a></p>
<p>When answering queries, don’t add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the number
of lookups into the database(s) during a single client query, reducing
the query-processing load. [GL #5034]</p>
<p>ISC would like to thank Toshifumi Sakaguchi for bringing this
vulnerability to our attention.</p>
</li>
</ul>
</section>
<section id="id9">
<h3><a class="toc-backref" href="#id142" role="doc-backlink">New Features</a><a class="headerlink" href="#id9" title="Link to this heading"></a></h3>
<ul>
<li><p>Add a new option to configure the maximum number of outgoing queries
per client request.</p>
<p>The configuration option <a class="reference internal" href="reference.html#namedconf-statement-max-query-count" title="namedconf-statement-max-query-count"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-query-count</span></code></a> sets how many outgoing
queries per client request are allowed. The existing
<a class="reference internal" href="reference.html#namedconf-statement-max-recursion-queries" title="namedconf-statement-max-recursion-queries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-recursion-queries</span></code></a> value is the number of permissible queries for a
single name and is reset on every CNAME redirection. This new option
is a global limit on the client request. The default is 200.</p>
<p>The default for <a class="reference internal" href="reference.html#namedconf-statement-max-recursion-queries" title="namedconf-statement-max-recursion-queries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-recursion-queries</span></code></a> is changed from 32 to
50. This allows <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref any std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to send a few more queries
while looking up a single name. [GL #4980] [GL #4921]</p>
</li>
</ul>
</section>
<section id="id10">
<h3><a class="toc-backref" href="#id143" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id10" title="Link to this heading"></a></h3>
<ul>
<li><p>Fix <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a> hang when processing a large update.</p>
<p>To mitigate DNS flood attacks over a single TCP connection, throttle
the connection when the other side does not read the data. Throttling
should only occur on server-side sockets, but erroneously also
happened for <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a>, which acts as a client. When
<a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a> started throttling the connection, it never
attempted to read again. This has been fixed. [GL #4910]</p>
</li>
<li><p>Fix possible assertion failure when reloading server while processing
update policy rules. [GL #5006]</p></li>
<li><p>Fix <a class="reference internal" href="manpages.html#std-iscman-dnssec-signzone"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-signzone</span></code></a> signing non-DNSKEY RRsets with revoked keys.</p>
<p><a class="reference internal" href="manpages.html#std-iscman-dnssec-signzone"><code class="xref any std std-iscman docutils literal notranslate"><span class="pre">dnssec-signzone</span></code></a> was using revoked keys for signing RRsets other than
DNSKEY. This has been corrected. [GL #5070]</p>
</li>
<li><p>Fix improper handling of unknown directives in <code class="docutils literal notranslate"><span class="pre">resolv.conf</span></code>.</p>
<p>The line after an unknown directive in <code class="docutils literal notranslate"><span class="pre">resolv.conf</span></code> could accidentally be
skipped, potentially affecting <a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a>, <a class="reference internal" href="manpages.html#std-iscman-host"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">host</span></code></a>,
<a class="reference internal" href="manpages.html#std-iscman-nslookup"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nslookup</span></code></a>, <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a>, or <a class="reference internal" href="manpages.html#std-iscman-delv"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">delv</span></code></a>. This has been
fixed. [GL #5084]</p>
</li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-32">
<h2><a class="toc-backref" href="#id144" role="doc-backlink">Notes for BIND 9.18.32</a><a class="headerlink" href="#notes-for-bind-9-18-32" title="Link to this heading"></a></h2>
<section id="id11">
<h3><a class="toc-backref" href="#id145" role="doc-backlink">New Features</a><a class="headerlink" href="#id11" title="Link to this heading"></a></h3>
<ul>
<li><p>Update built-in <code class="file docutils literal notranslate"><span class="pre">bind.keys</span></code> file with the new 2025 <a class="reference external" href="https://www.iana.org/dnssec/files">IANA root key</a>.</p>
<p>Add an <cite>initial-ds</cite> entry to <code class="file docutils literal notranslate"><span class="pre">bind.keys</span></code> for the new root key, ID
38696, which is scheduled for publication in January 2025. [GL #4896]</p>
</li>
</ul>
</section>
<section id="id12">
<h3><a class="toc-backref" href="#id146" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id12" title="Link to this heading"></a></h3>
<ul>
<li><p>Move contributed DLZ modules into a separate repository. DLZ modules should
not be used except in testing.</p>
<p>The DLZ modules were not maintained, the DLZ interface itself is going to be
scheduled for removal, and the DLZ interface is blocking. Any module that
blocks the query to the <a class="reference internal" href="reference.html#namedconf-statement-database" title="namedconf-statement-database"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">database</span></code></a> blocks the whole server.</p>
<p>The DLZ modules now live in
<a class="reference external" href="https://gitlab.isc.org/isc-projects/dlz-modules">https://gitlab.isc.org/isc-projects/dlz-modules</a> repository.
[GL #4865]</p>
</li>
</ul>
</section>
<section id="id13">
<h3><a class="toc-backref" href="#id147" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id13" title="Link to this heading"></a></h3>
<ul>
<li><p>Emit more helpful log messages for exceeding <a class="reference internal" href="reference.html#namedconf-statement-max-records-per-type" title="namedconf-statement-max-records-per-type"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-records-per-type</span></code></a>.</p>
<p>The new log message is emitted when adding or updating an RRset fails
due to exceeding the <a class="reference internal" href="reference.html#namedconf-statement-max-records-per-type" title="namedconf-statement-max-records-per-type"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-records-per-type</span></code></a> limit. The log includes the
owner name and type, corresponding zone name, and the limit value. It
will be emitted on loading a zone file, inbound zone transfer (both
AXFR and IXFR), handling a DDNS update, or updating a cache DB. It’s
especially helpful in the case of zone transfer, since the secondary
side doesn’t have direct access to the offending zone data.</p>
<p>It could also be used for <a class="reference internal" href="reference.html#namedconf-statement-max-types-per-name" title="namedconf-statement-max-types-per-name"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-types-per-name</span></code></a>, but this change doesn’t
implement it yet as it’s much less likely to happen in practice.</p>
</li>
<li><p>Harden key management when key files have become unavailable.</p>
<p>Prior to doing key management, BIND 9 will check if the key files on
disk match the expected keys. If key files for previously observed
keys have become unavailable, this will prevent the internal key
manager from running.</p>
</li>
</ul>
</section>
<section id="id14">
<h3><a class="toc-backref" href="#id148" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id14" title="Link to this heading"></a></h3>
<ul>
<li><p><cite>{&dns}</cite> is as valid as <cite>{?dns}</cite> in a SVCB’s dohpath.</p>
<p><a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a> failed to parse a valid <cite>SVCB</cite> record with a <cite>dohpath</cite> URI
template containing a <cite>{&dns}</cite>, like <cite>dohpath=/some/path?key=value{&dns}”</cite>.
[GL #4922]</p>
</li>
<li><p>Fix NSEC3 closest encloser lookup for names with empty non-terminals.</p>
<p>A previous performance optimization for finding the NSEC3 closest encloser
when generating authoritative responses could cause servers to return
incorrect NSEC3 records in some cases. This faulty optimization has been removed.
[GL #4950]</p>
</li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a> options of the form <cite>[+-]option=<value></cite> failed to display the
value on the printed command line. This has been fixed. [GL #4993]</p></li>
<li><p>Provide more visibility into TLS configuration errors by logging
<cite>SSL_CTX_use_certificate_chain_file()</cite> and <cite>SSL_CTX_use_PrivateKey_file()</cite>
errors individually. [GL #5008]</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-31">
<h2><a class="toc-backref" href="#id149" role="doc-backlink">Notes for BIND 9.18.31</a><a class="headerlink" href="#notes-for-bind-9-18-31" title="Link to this heading"></a></h2>
<section id="id15">
<h3><a class="toc-backref" href="#id150" role="doc-backlink">New Features</a><a class="headerlink" href="#id15" title="Link to this heading"></a></h3>
<ul>
<li><p>Added WALLET type.</p>
<p>Add the new record type WALLET (262). This provides a mapping from a
domain name to a cryptographic currency wallet. Multiple mappings can
exist if multiple records exist. [GL #4947]</p>
</li>
</ul>
</section>
<section id="id16">
<h3><a class="toc-backref" href="#id151" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id16" title="Link to this heading"></a></h3>
<ul>
<li><p>Allow IXFR-to-AXFR fallback on <code class="docutils literal notranslate"><span class="pre">DNS_R_TOOMANYRECORDS</span></code>.</p>
<p>This change allows fallback from an IXFR failure to AXFR when the
reason is <code class="docutils literal notranslate"><span class="pre">DNS_R_TOOMANYRECORDS</span></code>. [GL #4928]</p>
</li>
</ul>
</section>
<section id="id17">
<h3><a class="toc-backref" href="#id152" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id17" title="Link to this heading"></a></h3>
<ul>
<li><p>Fix a statistics channel counter bug when “forward only” zones are
used.</p>
<p>When resolving a zone with a “forward only” policy, and finding out
that all the forwarders were marked as “bad”, the “ServerQuota”
counter of the statistics channel was incorrectly increased. This has
been fixed. [GL #1793]</p>
</li>
<li><p>Fix a bug in the static-stub implementation.</p>
<p>Static-stub addresses and addresses from other sources were being
mixed together, resulting in static-stub queries going to addresses
not specified in the configuration, or alternatively, static-stub
addresses being used instead of the correct server addresses.
[GL #4850]</p>
</li>
<li><p>Don’t allow <a class="reference internal" href="reference.html#namedconf-statement-statistics-channels" title="namedconf-statement-statistics-channels"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">statistics-channels</span></code></a> if libxml2 and libjson-c are
not configured.</p>
<p>When BIND 9 is not configured with the libxml2 and libjson-c
libraries, the use of the <a class="reference internal" href="reference.html#namedconf-statement-statistics-channels" title="namedconf-statement-statistics-channels"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">statistics-channels</span></code></a> option is a fatal
error. [GL #4895]</p>
</li>
<li><p>Limit the outgoing UDP send queue size.</p>
<p>If the operating system UDP queue got full and the outgoing UDP
sending started to be delayed, BIND 9 could exhibit memory spikes as
it tried to enqueue all the outgoing UDP messages. It now tries to
deliver the outgoing UDP messages synchronously; if that fails, it
drops the outgoing DNS message that would get queued up and then
timeout on the client side. [GL #4930]</p>
</li>
<li><p>Do not set <code class="docutils literal notranslate"><span class="pre">SO_INCOMING_CPU</span></code>.</p>
<p>Remove the <code class="docutils literal notranslate"><span class="pre">SO_INCOMING_CPU</span></code> setting as kernel scheduling performs
better without constraints. [GL #4936]</p>
</li>
</ul>
</section>
<section id="id18">
<h3><a class="toc-backref" href="#id153" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id18" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-30">
<h2><a class="toc-backref" href="#id154" role="doc-backlink">Notes for BIND 9.18.30</a><a class="headerlink" href="#notes-for-bind-9-18-30" title="Link to this heading"></a></h2>
<section id="id19">
<h3><a class="toc-backref" href="#id155" role="doc-backlink">New Features</a><a class="headerlink" href="#id19" title="Link to this heading"></a></h3>
<ul>
<li><p>Print the full path of the working directory in startup log messages.</p>
<p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now prints its initial working directory during
startup, and the changed working directory when loading or reloading
its configuration file, if it has a valid <a class="reference internal" href="reference.html#namedconf-statement-directory" title="namedconf-statement-directory"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">directory</span></code></a> option
defined. [GL #4731]</p>
</li>
</ul>
</section>
<section id="id20">
<h3><a class="toc-backref" href="#id156" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id20" title="Link to this heading"></a></h3>
<ul>
<li><p>Improve performance for queries that require an NSEC3 wildcard proof.</p>
<p>Rather than starting from the longest matching part of the requested name,
lookup the shortest partial match. Most of the time this will be the actual
closest encloser. [GL #4460]</p>
</li>
<li><p>Follow the number of CPUs set by <code class="docutils literal notranslate"><span class="pre">taskset</span></code>/<code class="docutils literal notranslate"><span class="pre">cpuset</span></code>.</p>
<p>Administrators may wish to constrain the set of cores that
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> runs on via the <code class="docutils literal notranslate"><span class="pre">taskset</span></code>, <code class="docutils literal notranslate"><span class="pre">cpuset</span></code>, or <code class="docutils literal notranslate"><span class="pre">numactl</span></code>
programs (or equivalents on other OSes).</p>
<p>If the admin has used <code class="docutils literal notranslate"><span class="pre">taskset</span></code>, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now automatically
uses the given number of CPUs rather than the system-wide count.
[GL #4884]</p>
</li>
</ul>
</section>
<section id="id21">
<h3><a class="toc-backref" href="#id157" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id21" title="Link to this heading"></a></h3>
<ul>
<li><p>Verification of the privacy of an EDDSA key was broken.</p>
<p>The check could lead to an attempt to sign records with a public key,
which could cause a segmentation failure (read of a NULL pointer)
within OpenSSL. This has been fixed. [GL #4855]</p>
</li>
<li><p>Fix algorithm rollover bug when there are two keys with the same
keytag.</p>
<p>If there was an algorithm rollover and two keys of different
algorithms shared the same keytags, there was the possibility that the
check of whether the key matched a specific state could be performed
against the wrong key. This has been fixed by not only checking for
the matching key tag but also the key algorithm. [GL #4878]</p>
</li>
</ul>
</section>
<section id="id22">
<h3><a class="toc-backref" href="#id158" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id22" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-29">
<h2><a class="toc-backref" href="#id159" role="doc-backlink">Notes for BIND 9.18.29</a><a class="headerlink" href="#notes-for-bind-9-18-29" title="Link to this heading"></a></h2>
<section id="id23">
<h3><a class="toc-backref" href="#id160" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id23" title="Link to this heading"></a></h3>
<ul>
<li><p>Tighten <a class="reference internal" href="reference.html#namedconf-statement-max-recursion-queries" title="namedconf-statement-max-recursion-queries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-recursion-queries</span></code></a> and add <a class="reference internal" href="reference.html#namedconf-statement-max-query-restarts" title="namedconf-statement-max-query-restarts"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-query-restarts</span></code></a>
configuration statement.</p>
<p>There were cases when the <a class="reference internal" href="reference.html#namedconf-statement-max-recursion-queries" title="namedconf-statement-max-recursion-queries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-recursion-queries</span></code></a>
quota was ineffective. It was possible to craft zones that would cause
a resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by correcting
errors in the implementation of <a class="reference internal" href="reference.html#namedconf-statement-max-recursion-queries" title="namedconf-statement-max-recursion-queries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-recursion-queries</span></code></a> and by
reducing the default value from 100 to 32.</p>
<p>In addition, a new <a class="reference internal" href="reference.html#namedconf-statement-max-query-restarts" title="namedconf-statement-max-query-restarts"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-query-restarts</span></code></a> configuration statement has been
added, which limits the number of times a recursive server will follow CNAME
or DNAME records before terminating resolution. This was previously a
hard-coded limit of 16 but is now configurable with a default value of 11.</p>
<p>ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin
Tanir from NetSec group, ETH Zurich for discovering and notifying us about
the issue. [GL #4741] [GL !9283]</p>
</li>
<li><p>Raise the log level of priming failures.</p>
<p>When a priming query is complete, it was previously logged at level
<code class="docutils literal notranslate"><span class="pre">DEBUG(1)</span></code>, regardless of success or failure. It is now
logged to <code class="docutils literal notranslate"><span class="pre">NOTICE</span></code> in the case of failure. [GL #3516]
[GL !9251]</p>
</li>
<li><p>Add a compatibility shim for older libuv versions (< 1.19.0)</p>
<p>The function uv_stream_get_write_queue_size() is supported only in relatively
new versions of libuv (1.19.0 or higher). Provide a compatibility
shim for this function so BIND 9 can be built in environments with
older libuv versions.</p>
</li>
</ul>
</section>
<section id="id24">
<h3><a class="toc-backref" href="#id161" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id24" title="Link to this heading"></a></h3>
<ul>
<li><p>Return SERVFAIL for a too long CNAME chain.</p>
<p>When following long CNAME chains, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> was returning NOERROR
(along with a partial answer) instead of SERVFAIL, if the chain exceeded the
maximum length. This has been fixed. [GL #4449] [GL !9204]</p>
</li>
<li><p>Reconfigure catz member zones during <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> reconfiguration.</p>
<p>During a reconfiguration, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> wasn’t reconfiguring catalog
zones’ member zones. This has been fixed. [GL #4733]</p>
</li>
<li><p>Update key lifetime and metadata after <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> reconfiguration.</p>
<p>Adjust key state and timing metadata if <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> key
lifetime configuration is updated, so that it also affects existing
keys. [GL #4677] [GL !9192]</p>
</li>
<li><p>Fix generation of 6to4-self name expansion from IPv4 address.</p>
<p>The period between the most significant nibble of the encoded IPv4
address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the
wrong name being checked. This has been fixed. [GL #4766] [GL !9218]</p>
</li>
<li><p><a class="reference internal" href="manpages.html#cmdoption-dig-arg-yaml"><code class="xref std std-option docutils literal notranslate"><span class="pre">dig</span> <span class="pre">+yaml</span></code></a> was producing unexpected and/or invalid YAML.
output. [GL #4796] [GL !9214]</p></li>
<li><p>SVBC ALPN text parsing failed to reject zero-length ALPN. [GL #4775] [GL !9210]</p></li>
<li><p>Fix false QNAME minimisation error being reported.</p>
<p>Remove the false positive <code class="docutils literal notranslate"><span class="pre">success</span> <span class="pre">resolving</span></code> log message when QNAME
minimisation is in effect and the final result is an NXDOMAIN.
[GL #4784] [GL !9216]</p>
</li>
<li><p>Fix dig +timeout argument when using +https.</p>
<p>The +timeout argument was not used on DoH connections. This has been
fixed. [GL #4806] [GL !9161]</p>
</li>
</ul>
</section>
<section id="id25">
<h3><a class="toc-backref" href="#id162" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id25" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-28">
<h2><a class="toc-backref" href="#id163" role="doc-backlink">Notes for BIND 9.18.28</a><a class="headerlink" href="#notes-for-bind-9-18-28" title="Link to this heading"></a></h2>
<section id="id26">
<h3><a class="toc-backref" href="#id164" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id26" title="Link to this heading"></a></h3>
<ul>
<li><p>A malicious DNS client that sent many queries over TCP but never read
the responses could cause a server to respond slowly or not at all for
other clients. This has been fixed. <span class="target" id="index-2"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-0760"><strong>(CVE-2024-0760)</strong></a> [GL #4481]</p></li>
<li><p>It is possible to craft excessively large resource records sets, which
have the effect of slowing down database processing. This has been
addressed by adding a configurable limit to the number of records that
can be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
<a class="reference internal" href="reference.html#namedconf-statement-max-records-per-type" title="namedconf-statement-max-records-per-type"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-records-per-type</span></code></a> option. [GL #497] [GL #3405]</p>
<p>It is possible to craft excessively large numbers of resource record
types for a given owner name, which has the effect of slowing down
database processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and type in
a cache or zone database. The default is 100, which can be tuned with
the new <a class="reference internal" href="reference.html#namedconf-statement-max-types-per-name" title="namedconf-statement-max-types-per-name"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-types-per-name</span></code></a> option. <span class="target" id="index-3"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-1737"><strong>(CVE-2024-1737)</strong></a> [GL #3403]</p>
<p>ISC would like to thank Toshifumi Sakaguchi who independently
discovered and responsibly reported the issue to ISC. [GL #4548]</p>
</li>
<li><p>Validating DNS messages signed using the SIG(0) protocol (<span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc2931.html"><strong>RFC 2931</strong></a>)
could cause excessive CPU load, leading to a denial-of-service
condition. Support for SIG(0) message validation was removed from this
version of <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>. <span class="target" id="index-5"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-1975"><strong>(CVE-2024-1975)</strong></a> [GL #4480]</p></li>
<li><p>Due to a logic error, lookups that triggered serving stale data and
required lookups in local authoritative zone data could have resulted
in an assertion failure. This has been fixed. <span class="target" id="index-6"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2024-4076"><strong>(CVE-2024-4076)</strong></a>
[GL #4507]</p></li>
<li><p>Potential data races were found in our DoH implementation, related to
HTTP/2 session object management and endpoints set object management
after reconfiguration. These issues have been fixed. [GL #4473]</p>
<p>ISC would like to thank Dzintars and Ivo from nic.lv for bringing this
to our attention.</p>
</li>
<li><p>When looking up the NS records of parent zones as part of looking up DS
records, it was possible for <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to trigger an assertion
failure if serve-stale was enabled. This has been fixed. [GL #4661]</p></li>
</ul>
</section>
<section id="id27">
<h3><a class="toc-backref" href="#id165" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id27" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Command-line options for IPv4-only (<a class="reference internal" href="manpages.html#cmdoption-named-4"><code class="xref std std-option docutils literal notranslate"><span class="pre">named</span> <span class="pre">-4</span></code></a>) and IPv6-only
(<a class="reference internal" href="manpages.html#cmdoption-named-6"><code class="xref std std-option docutils literal notranslate"><span class="pre">named</span> <span class="pre">-6</span></code></a>) modes are now respected for zone <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primaries</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-also-notify" title="namedconf-statement-also-notify"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">also-notify</span></code></a>, and <a class="reference internal" href="reference.html#namedconf-statement-parental-agents" title="namedconf-statement-parental-agents"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-agents</span></code></a>. [GL #3472]</p></li>
<li><p>An RPZ response’s SOA record TTL was set to 1 instead of the SOA TTL,
if <code class="docutils literal notranslate"><span class="pre">add-soa</span></code> was used. This has been fixed. [GL #3323]</p></li>
<li><p>When a query related to zone maintenance (NOTIFY, SOA) timed out close
to a view shutdown (triggered e.g. by <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-reload"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">reload</span></code></a>),
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could crash with an assertion failure. This has been
fixed. [GL #4719]</p></li>
<li><p>The statistics channel counters that indicated the number of currently
connected TCP IPv4/IPv6 clients were not properly adjusted in certain
failure scenarios. This has been fixed. [GL #4742]</p></li>
<li><p>Some servers that could not be reached due to EHOSTDOWN or ENETDOWN
conditions were incorrectly prioritized during server selection. These
are now properly handled as unreachable. [GL #4736]</p></li>
<li><p>On some systems the libuv call may return an error code when sending a
TCP reset for a connection, which triggers an assertion failure in
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>. This error condition is now dealt with in a more
graceful manner, by logging the incident and shutting down the
connection. [GL #4708]</p></li>
</ul>
</section>
<section id="id28">
<h3><a class="toc-backref" href="#id166" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id28" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-27">
<h2><a class="toc-backref" href="#id167" role="doc-backlink">Notes for BIND 9.18.27</a><a class="headerlink" href="#notes-for-bind-9-18-27" title="Link to this heading"></a></h2>
<section id="id29">
<h3><a class="toc-backref" href="#id168" role="doc-backlink">New Features</a><a class="headerlink" href="#id29" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A new option <a class="reference internal" href="reference.html#namedconf-statement-signatures-jitter" title="namedconf-statement-signatures-jitter"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">signatures-jitter</span></code></a> has been added to <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>
to allow signature expirations to be spread out over a period of time.
[GL #4554]</p></li>
</ul>
</section>
<section id="id30">
<h3><a class="toc-backref" href="#id169" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id30" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>DNSSEC signatures that are not valid because the current time falls outside
the signature inception and expiration dates are skipped instead of causing
an immediate validation failure. [GL #4586]</p></li>
</ul>
</section>
<section id="id31">
<h3><a class="toc-backref" href="#id170" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id31" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-26">
<h2><a class="toc-backref" href="#id171" role="doc-backlink">Notes for BIND 9.18.26</a><a class="headerlink" href="#notes-for-bind-9-18-26" title="Link to this heading"></a></h2>
<section id="id32">
<h3><a class="toc-backref" href="#id172" role="doc-backlink">New Features</a><a class="headerlink" href="#id32" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The statistics channel now includes counters that indicate the number
of currently connected TCP IPv4/IPv6 clients. [GL #4425]</p></li>
<li><p>Added RESOLVER.ARPA to the built in empty zones. [GL #4580]</p></li>
</ul>
</section>
<section id="id33">
<h3><a class="toc-backref" href="#id173" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id33" title="Link to this heading"></a></h3>
<ul>
<li><p>Changes to <code class="docutils literal notranslate"><span class="pre">listen-on</span></code> statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That issue
has been fixed.</p>
<p>ISC would like to thank Thomas Amgarten for bringing this issue to
our attention. [GL #4518] [GL #4528]</p>
</li>
<li><p>A bug in the keymgr code unintentionally slowed down some DNSSEC key
rollovers. This has been fixed. [GL #4552]</p></li>
<li><p>Some ISO 8601 durations were accepted erroneously, leading to shorter
durations than expected. This has been fixed. [GL #4624]</p></li>
</ul>
</section>
<section id="id34">
<h3><a class="toc-backref" href="#id174" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id34" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-25">
<h2><a class="toc-backref" href="#id175" role="doc-backlink">Notes for BIND 9.18.25</a><a class="headerlink" href="#notes-for-bind-9-18-25" title="Link to this heading"></a></h2>
<section id="id35">
<h3><a class="toc-backref" href="#id176" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id35" title="Link to this heading"></a></h3>
<ul>
<li><p>A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
<a class="reference internal" href="reference.html#namedconf-statement-max-cache-size" title="namedconf-statement-max-cache-size"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-cache-size</span></code></a> limit was reached. This has been fixed.
[GL #4596]</p></li>
<li><p>Using <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-flush"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">flush</span></code></a> inadvertently caused cache cleaning to
become less effective. This could ultimately lead to the configured
<a class="reference internal" href="reference.html#namedconf-statement-max-cache-size" title="namedconf-statement-max-cache-size"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-cache-size</span></code></a> limit being exceeded and has now been fixed.
[GL #4621]</p></li>
<li><p>The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
<a class="reference internal" href="reference.html#namedconf-statement-max-cache-ttl" title="namedconf-statement-max-cache-ttl"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-cache-ttl</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-max-ncache-ttl" title="namedconf-statement-max-ncache-ttl"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-ncache-ttl</span></code></a> in a timely manner.
[GL #4591]</p></li>
<li><p>It was possible to trigger a use-after-free assertion when the overmem cache
cleaning was initiated. This has been fixed. [GL #4595]</p>
<p>ISC would like to thank Jinmei Tatuya of Infoblox for bringing
this issue to our attention.</p>
</li>
</ul>
</section>
<section id="id36">
<h3><a class="toc-backref" href="#id177" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id36" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-24">
<h2><a class="toc-backref" href="#id178" role="doc-backlink">Notes for BIND 9.18.24</a><a class="headerlink" href="#notes-for-bind-9-18-24" title="Link to this heading"></a></h2>
<section id="id37">
<h3><a class="toc-backref" href="#id179" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id37" title="Link to this heading"></a></h3>
<ul>
<li><p>Validating DNS messages containing a lot of DNSSEC signatures could
cause excessive CPU load, leading to a denial-of-service condition.
This has been fixed. <span class="target" id="index-7"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-50387"><strong>(CVE-2023-50387)</strong></a></p>
<p>ISC would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for bringing this vulnerability to our
attention. [GL #4424]</p>
</li>
<li><p>Preparing an NSEC3 closest encloser proof could cause excessive CPU
load, leading to a denial-of-service condition. This has been fixed.
<span class="target" id="index-8"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-50868"><strong>(CVE-2023-50868)</strong></a> [GL #4459]</p></li>
<li><p>Parsing DNS messages with many different names could cause excessive
CPU load. This has been fixed. <span class="target" id="index-9"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-4408"><strong>(CVE-2023-4408)</strong></a></p>
<p>ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv
University, and Yuval Shavitt from Tel-Aviv University for bringing
this vulnerability to our attention. [GL #4234]</p>
</li>
<li><p>Specific queries could cause <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to crash with an
assertion failure when <a class="reference internal" href="reference.html#namedconf-statement-nxdomain-redirect" title="namedconf-statement-nxdomain-redirect"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">nxdomain-redirect</span></code></a> was enabled. This has
been fixed. <span class="target" id="index-10"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-5517"><strong>(CVE-2023-5517)</strong></a> [GL #4281]</p></li>
<li><p>A bad interaction between DNS64 and serve-stale could cause
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to crash with an assertion failure, when both of these
features were enabled. This has been fixed. <span class="target" id="index-11"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-5679"><strong>(CVE-2023-5679)</strong></a>
[GL #4334]</p></li>
<li><p>Under certain circumstances, the DNS-over-TLS client code incorrectly
attempted to process more than one DNS message at a time, which could
cause <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to crash with an assertion failure. This has
been fixed. [GL #4487]</p></li>
</ul>
</section>
<section id="id38">
<h3><a class="toc-backref" href="#id180" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id38" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The counters exported via the statistics channel were changed back to
64-bit signed values; they were being inadvertently truncated to
unsigned 32-bit values since BIND 9.15.0. [GL #4467]</p></li>
</ul>
</section>
<section id="id39">
<h3><a class="toc-backref" href="#id181" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id39" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-23">
<h2><a class="toc-backref" href="#id182" role="doc-backlink">Notes for BIND 9.18.23</a><a class="headerlink" href="#notes-for-bind-9-18-23" title="Link to this heading"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The BIND 9.18.23 release was withdrawn after the discovery of a
regression in a security fix in it during pre-release testing. ISC
would like to acknowledge the assistance of Vinzenz Vogel and Daniel
Stirnimann of SWITCH.</p>
</div>
</section>
<section id="notes-for-bind-9-18-22">
<h2><a class="toc-backref" href="#id183" role="doc-backlink">Notes for BIND 9.18.22</a><a class="headerlink" href="#notes-for-bind-9-18-22" title="Link to this heading"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The BIND 9.18.22 release was withdrawn after the discovery of a
regression in a security fix in it during pre-release testing. ISC
would like to acknowledge the assistance of Curtis Tuplin of SaskTel.</p>
</div>
</section>
<section id="notes-for-bind-9-18-21">
<h2><a class="toc-backref" href="#id184" role="doc-backlink">Notes for BIND 9.18.21</a><a class="headerlink" href="#notes-for-bind-9-18-21" title="Link to this heading"></a></h2>
<section id="id40">
<h3><a class="toc-backref" href="#id185" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id40" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Support for using AES as the DNS COOKIE algorithm (<code class="docutils literal notranslate"><span class="pre">cookie-algorithm</span>
<span class="pre">aes;</span></code>) has been deprecated and will be removed in a future release.
Please use the current default, SipHash-2-4, instead. [GL #4421]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-resolver-nonbackoff-tries" title="namedconf-statement-resolver-nonbackoff-tries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">resolver-nonbackoff-tries</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-resolver-retry-interval" title="namedconf-statement-resolver-retry-interval"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">resolver-retry-interval</span></code></a>
statements have been deprecated. Using them now causes a warning to be
logged. [GL #4405]</p></li>
</ul>
</section>
<section id="id41">
<h3><a class="toc-backref" href="#id186" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id41" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-20">
<h2><a class="toc-backref" href="#id187" role="doc-backlink">Notes for BIND 9.18.20</a><a class="headerlink" href="#notes-for-bind-9-18-20" title="Link to this heading"></a></h2>
<section id="id42">
<h3><a class="toc-backref" href="#id188" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id42" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The IP addresses for B.ROOT-SERVERS.NET have been updated to
170.247.170.2 and 2801:1b8:10::b. [GL #4101]</p></li>
</ul>
</section>
<section id="id43">
<h3><a class="toc-backref" href="#id189" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id43" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>If the unsigned version of an inline-signed zone contained DNSSEC
records, it was incorrectly scheduled for resigning. This has been
fixed. [GL #4350]</p></li>
<li><p>Looking up stale data from the cache did not take local authoritative
data into account. This has been fixed. [GL #4355]</p></li>
<li><p>An assertion failure was triggered when <a class="reference internal" href="reference.html#namedconf-statement-lock-file" title="namedconf-statement-lock-file"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">lock-file</span></code></a> was used at
the same time as the <a class="reference internal" href="manpages.html#cmdoption-named-X"><code class="xref std std-option docutils literal notranslate"><span class="pre">named</span> <span class="pre">-X</span></code></a> command-line option. This has
been fixed. [GL #4386]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-lock-file" title="namedconf-statement-lock-file"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">lock-file</span></code></a> file was being removed when it should not have
been, making the statement ineffective when <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> was
started three or more times. This has been fixed. [GL #4387]</p></li>
</ul>
</section>
<section id="id44">
<h3><a class="toc-backref" href="#id190" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id44" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-19">
<h2><a class="toc-backref" href="#id191" role="doc-backlink">Notes for BIND 9.18.19</a><a class="headerlink" href="#notes-for-bind-9-18-19" title="Link to this heading"></a></h2>
<section id="id45">
<h3><a class="toc-backref" href="#id192" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id45" title="Link to this heading"></a></h3>
<ul>
<li><p>Previously, sending a specially crafted message over the control
channel could cause the packet-parsing code to run out of available
stack memory, causing <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to terminate unexpectedly.
This has been fixed. <span class="target" id="index-12"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-3341"><strong>(CVE-2023-3341)</strong></a></p>
<p>ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
bringing this vulnerability to our attention. [GL #4152]</p>
</li>
<li><p>A flaw in the networking code handling DNS-over-TLS queries could
cause <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to terminate unexpectedly due to an assertion
failure under significant DNS-over-TLS query load. This has been
fixed. <span class="target" id="index-13"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-4236"><strong>(CVE-2023-4236)</strong></a></p>
<p>ISC would like to thank Robert Story from USC/ISI Root Server
Operations for bringing this vulnerability to our attention.
[GL #4242]</p>
</li>
</ul>
</section>
<section id="id46">
<h3><a class="toc-backref" href="#id193" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id46" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-dnssec-must-be-secure" title="namedconf-statement-dnssec-must-be-secure"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-must-be-secure</span></code></a> option has been deprecated and will
be removed in a future release. [GL #4263]</p></li>
</ul>
</section>
<section id="id47">
<h3><a class="toc-backref" href="#id194" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id47" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>If the <code class="docutils literal notranslate"><span class="pre">server</span></code> command is specified, <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a> now honors
the <a class="reference internal" href="manpages.html#cmdoption-nsupdate-v"><code class="xref std std-option docutils literal notranslate"><span class="pre">nsupdate</span> <span class="pre">-v</span></code></a> option for SOA queries by sending both the
UPDATE request and the initial query over TCP. [GL #1181]</p></li>
</ul>
</section>
<section id="id48">
<h3><a class="toc-backref" href="#id195" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id48" title="Link to this heading"></a></h3>
<ul>
<li><p>The value of the If-Modified-Since header in the statistics channel
was not being correctly validated for its length, potentially allowing
an authorized user to trigger a buffer overflow. Ensuring the
statistics channel is configured correctly to grant access exclusively
to authorized users is essential (see the <a class="reference internal" href="reference.html#namedconf-statement-statistics-channels" title="namedconf-statement-statistics-channels"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">statistics-channels</span></code></a>
block definition and usage section). [GL #4124]</p>
<p>This issue was reported independently by Eric Sesterhenn of X41 D-Sec
GmbH and Cameron Whitehead.</p>
</li>
<li><p>The Content-Length header in the statistics channel was lacking proper
bounds checking. A negative or excessively large value could
potentially trigger an integer overflow and result in an assertion
failure. [GL #4125]</p>
<p>This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.</p>
</li>
<li><p>Several memory leaks caused by not clearing the OpenSSL error stack
were fixed. [GL #4159]</p>
<p>This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.</p>
</li>
<li><p>The introduction of <code class="docutils literal notranslate"><span class="pre">krb5-subdomain-self-rhs</span></code> and
<code class="docutils literal notranslate"><span class="pre">ms-subdomain-self-rhs</span></code> UPDATE policies accidentally caused
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to return SERVFAIL responses to deletion requests for
non-existent PTR and SRV records. This has been fixed. [GL #4280]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-stale-refresh-time" title="namedconf-statement-stale-refresh-time"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-refresh-time</span></code></a> feature was mistakenly disabled when the
server cache was flushed by <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-flush"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">flush</span></code></a>. This has been fixed.
[GL #4278]</p></li>
<li><p>BIND’s memory consumption has been improved by implementing dedicated
jemalloc memory arenas for sending buffers. This optimization ensures
that memory usage is more efficient and better manages the return of
memory pages to the operating system. [GL #4038]</p></li>
<li><p>Previously, partial writes in the TLS DNS code were not accounted for
correctly, which could have led to DNS message corruption. This has
been fixed. [GL #4255]</p></li>
</ul>
</section>
<section id="id49">
<h3><a class="toc-backref" href="#id196" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id49" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-18">
<h2><a class="toc-backref" href="#id197" role="doc-backlink">Notes for BIND 9.18.18</a><a class="headerlink" href="#notes-for-bind-9-18-18" title="Link to this heading"></a></h2>
<section id="id50">
<h3><a class="toc-backref" href="#id198" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id50" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>When a primary server for a zone responds to an SOA query, but the
subsequent TCP connection required to transfer the zone is refused,
that server is marked as temporarily unreachable. This now also
happens if the TCP connection attempt times out, preventing too many
zones from queuing up on an unreachable server and allowing the
refresh process to move on to the next configured primary more
quickly. [GL #4215]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-dialup" title="namedconf-statement-dialup"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dialup</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-heartbeat-interval" title="namedconf-statement-heartbeat-interval"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">heartbeat-interval</span></code></a> options have been
deprecated and will be removed in a future BIND 9 release. [GL #3700]</p></li>
</ul>
</section>
<section id="id51">
<h3><a class="toc-backref" href="#id199" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id51" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Processing already-queued queries received over TCP could cause an
assertion failure, when the server was reconfigured at the same time
or the cache was being flushed. This has been fixed. [GL #4200]</p></li>
<li><p>Setting <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> to <code class="docutils literal notranslate"><span class="pre">insecure</span></code> prevented zones
containing resource records with a TTL value larger than 86400 seconds
(1 day) from being loaded. This has been fixed by ignoring the TTL
values in the zone and using a value of 604800 seconds (1 week) as the
maximum zone TTL in key rollover timing calculations. [GL #4032]</p></li>
</ul>
</section>
<section id="id52">
<h3><a class="toc-backref" href="#id200" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id52" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-17">
<h2><a class="toc-backref" href="#id201" role="doc-backlink">Notes for BIND 9.18.17</a><a class="headerlink" href="#notes-for-bind-9-18-17" title="Link to this heading"></a></h2>
<section id="id53">
<h3><a class="toc-backref" href="#id202" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id53" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>If a response from an authoritative server has its RCODE set to
FORMERR and contains an echoed EDNS COOKIE option that was present in
the query, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now retries sending the query to the
same server without an EDNS COOKIE option. [GL #4049]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">relaxed</span></code> QNAME minimization mode now uses NS records. This
reduces the number of queries <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> makes when resolving, as
it allows the non-existence of NS RRsets at non-referral nodes to be
cached in addition to the normally cached referrals. [GL #3325]</p></li>
</ul>
</section>
<section id="id54">
<h3><a class="toc-backref" href="#id203" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id54" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The ability to read HMAC-MD5 key files, which was accidentally lost in
BIND 9.18.8, has been restored. [GL #3668] [GL #4154]</p></li>
<li><p>Several minor stability issues with the catalog zone implementation
have been fixed. [GL #4132] [GL #4136] [GL #4171]</p></li>
</ul>
</section>
<section id="id55">
<h3><a class="toc-backref" href="#id204" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id55" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-16">
<h2><a class="toc-backref" href="#id205" role="doc-backlink">Notes for BIND 9.18.16</a><a class="headerlink" href="#notes-for-bind-9-18-16" title="Link to this heading"></a></h2>
<section id="id56">
<h3><a class="toc-backref" href="#id206" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id56" title="Link to this heading"></a></h3>
<ul>
<li><p>The overmem cleaning process has been improved, to prevent the cache from
significantly exceeding the configured <a class="reference internal" href="reference.html#namedconf-statement-max-cache-size" title="namedconf-statement-max-cache-size"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-cache-size</span></code></a> limit.
<span class="target" id="index-14"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-2828"><strong>(CVE-2023-2828)</strong></a></p>
<p>ISC would like to thank Shoham Danino from Reichman University, Anat
Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to
our attention. [GL #4055]</p>
</li>
<li><p>A query that prioritizes stale data over lookup triggers a fetch to refresh
the stale data in cache. If the fetch is aborted for exceeding the recursion
quota, it was possible for <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to enter an infinite callback
loop and crash due to stack overflow. This has been fixed. <span class="target" id="index-15"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2023-2911"><strong>(CVE-2023-2911)</strong></a>
[GL #4089]</p></li>
</ul>
</section>
<section id="id57">
<h3><a class="toc-backref" href="#id207" role="doc-backlink">New Features</a><a class="headerlink" href="#id57" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The system test suite can now be executed with pytest (along with
pytest-xdist for parallel execution). [GL #3978]</p></li>
</ul>
</section>
<section id="id58">
<h3><a class="toc-backref" href="#id208" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id58" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and
will be removed in a future release. A warning will be logged when
the <a class="reference internal" href="reference.html#namedconf-statement-tkey-dhkey" title="namedconf-statement-tkey-dhkey"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tkey-dhkey</span></code></a> option is used in <code class="docutils literal notranslate"><span class="pre">named.conf</span></code>. [GL #3905]</p></li>
</ul>
</section>
<section id="id59">
<h3><a class="toc-backref" href="#id209" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id59" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>BIND could get stuck on reconfiguration when a <a class="reference internal" href="reference.html#namedconf-statement-listen-on" title="namedconf-statement-listen-on"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">listen-on</span></code></a>
statement for HTTP is removed from the configuration. That has been
fixed. [GL #4071]</p></li>
<li><p>Previously, it was possible for a delegation from cache to be returned
to the client after the <a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> duration.
This has been fixed. [GL #3950]</p></li>
<li><p>BIND could allocate too big buffers when sending data via
stream-based DNS transports, leading to increased memory usage.
This has been fixed. [GL #4038]</p></li>
<li><p>When the <a class="reference internal" href="reference.html#namedconf-statement-stale-answer-enable" title="namedconf-statement-stale-answer-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-enable</span></code></a> option was enabled and the
<a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> option was enabled and larger than
0, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> previously allocated two slots from the
<a class="reference internal" href="reference.html#namedconf-statement-clients-per-query" title="namedconf-statement-clients-per-query"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">clients-per-query</span></code></a> limit for each client and failed to gradually
auto-tune its value, as configured. This has been fixed. [GL #4074]</p></li>
</ul>
</section>
<section id="id60">
<h3><a class="toc-backref" href="#id210" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id60" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-15">
<h2><a class="toc-backref" href="#id211" role="doc-backlink">Notes for BIND 9.18.15</a><a class="headerlink" href="#notes-for-bind-9-18-15" title="Link to this heading"></a></h2>
<section id="id61">
<h3><a class="toc-backref" href="#id212" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id61" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-max-transfer-time-in" title="namedconf-statement-max-transfer-time-in"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-transfer-time-in</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-max-transfer-idle-in" title="namedconf-statement-max-transfer-idle-in"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-transfer-idle-in</span></code></a>
statements have not had any effect since the BIND 9 networking stack
was refactored in version 9.16. The missing functionality has been
re-implemented and incoming zone transfers now time out properly when
not progressing. [GL #4004]</p></li>
<li><p>The read timeout in <a class="reference internal" href="manpages.html#std-iscman-rndc"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">rndc</span></code></a> is now 60 seconds, matching the
behavior in BIND 9.16 and earlier. It had previously been lowered to
30 seconds by mistake. [GL #4046]</p></li>
<li><p>When the <code class="docutils literal notranslate"><span class="pre">ISC_R_INVALIDPROTO</span></code> (<code class="docutils literal notranslate"><span class="pre">ENOPROTOOPT</span></code>, <code class="docutils literal notranslate"><span class="pre">EPROTONOSUPPORT</span></code>)
error code is returned by libuv, it is now treated as a network
failure: the server for which that error code is returned gets marked
as broken and is not contacted again during a given resolution
process. [GL #4005]</p></li>
<li><p>When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up. This
has been fixed. [GL #4027]</p></li>
<li><p>Log file rotation code did not clean up older versions of log files
when the logging <a class="reference internal" href="reference.html#namedconf-statement-channel" title="namedconf-statement-channel"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">channel</span></code></a> had an absolute path configured as a
<code class="docutils literal notranslate"><span class="pre">file</span></code> destination. This has been fixed. [GL #3991]</p></li>
</ul>
</section>
<section id="id62">
<h3><a class="toc-backref" href="#id213" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id62" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Sending NOTIFY messages silently fails when the source port specified
in the <a class="reference internal" href="reference.html#namedconf-statement-notify-source" title="namedconf-statement-notify-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">notify-source</span></code></a> statement is already in use. This can
happen e.g. when multiple servers are configured as NOTIFY targets for
a zone and some of them are unresponsive. This issue can be worked
around by not specifying the source port for NOTIFY messages in the
<a class="reference internal" href="reference.html#namedconf-statement-notify-source" title="namedconf-statement-notify-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">notify-source</span></code></a> statement; note that source port configuration is
already <a class="reference external" href="https://gitlab.isc.org/isc-projects/bind9/-/issues/3781">deprecated</a> and will be removed altogether in a future
release. [GL #4002]</p></li>
<li><p>See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known
issues affecting this BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-14">
<h2><a class="toc-backref" href="#id214" role="doc-backlink">Notes for BIND 9.18.14</a><a class="headerlink" href="#notes-for-bind-9-18-14" title="Link to this heading"></a></h2>
<section id="id63">
<h3><a class="toc-backref" href="#id215" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id63" title="Link to this heading"></a></h3>
<ul>
<li><p>Zone type <code class="docutils literal notranslate"><span class="pre">delegation-only</span></code>, and the <code class="docutils literal notranslate"><span class="pre">delegation-only</span></code> and
<code class="docutils literal notranslate"><span class="pre">root-delegation-only</span></code> statements, have been deprecated.
A warning is now logged when they are used.</p>
<p>These statements were created to address the SiteFinder controversy,
in which certain top-level domains redirected misspelled queries to
other sites instead of returning NXDOMAIN responses. Since top-level
domains are now DNSSEC-signed, and DNSSEC validation is active by
default, the statements are no longer needed. [GL #3953]</p>
</li>
</ul>
</section>
<section id="id64">
<h3><a class="toc-backref" href="#id216" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id64" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Several bugs which could cause <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to crash during catalog
zone processing have been fixed. [GL #3955] [GL #3968] [GL #3997]</p></li>
<li><p>Previously, downloading large zones over TLS (XoT) from a primary
could hang the transfer on the secondary, especially when the
connection was unstable. This has been fixed. [GL #3867]</p></li>
<li><p>Performance of DNSSEC validation in zones with many DNSKEY records has
been improved. [GL #3981]</p></li>
</ul>
</section>
<section id="id65">
<h3><a class="toc-backref" href="#id217" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id65" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-13">
<h2><a class="toc-backref" href="#id218" role="doc-backlink">Notes for BIND 9.18.13</a><a class="headerlink" href="#notes-for-bind-9-18-13" title="Link to this heading"></a></h2>
<section id="id66">
<h3><a class="toc-backref" href="#id219" role="doc-backlink">New Features</a><a class="headerlink" href="#id66" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>RPZ updates are now run on specialized “offload” threads to reduce the
amount of time they block query processing on the main networking
threads. This increases the responsiveness of <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> when RPZ
updates are being applied after an RPZ zone has been successfully
transferred. [GL #3190]</p></li>
</ul>
</section>
<section id="id67">
<h3><a class="toc-backref" href="#id220" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id67" title="Link to this heading"></a></h3>
<ul>
<li><p>Catalog zone updates are now run on specialized “offload” threads to
reduce the amount of time they block query processing on the main
networking threads. This increases the responsiveness of
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> when catalog zone updates are being applied after a
catalog zone has been successfully transferred. [GL #3881]</p></li>
<li><p>libuv support for receiving multiple UDP messages in a single
<code class="docutils literal notranslate"><span class="pre">recvmmsg()</span></code> system call has been tweaked several times between
libuv versions 1.35.0 and 1.40.0; the current recommended libuv
version is 1.40.0 or higher. New rules are now in effect for running
with a different version of libuv than the one used at compilation
time. These rules may trigger a fatal error at startup:</p>
<ul class="simple">
<li><p>Building against or running with libuv versions 1.35.0 and 1.36.0 is
now a fatal error.</p></li>
<li><p>Running with libuv version higher than 1.34.2 is now a fatal error
when <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> is built against libuv version 1.34.2 or lower.</p></li>
<li><p>Running with libuv version higher than 1.39.0 is now a fatal error
when <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> is built against libuv version 1.37.0, 1.38.0,
1.38.1, or 1.39.0.</p></li>
</ul>
<p>This prevents the use of libuv versions that may trigger an assertion
failure when receiving multiple UDP messages in a single system call.
[GL #3840]</p>
</li>
</ul>
</section>
<section id="id68">
<h3><a class="toc-backref" href="#id221" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id68" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could crash with an assertion failure when adding a
new zone into the configuration file for a name which was already
configured as a member zone for a catalog zone. This has been fixed.
[GL #3911]</p></li>
<li><p>When <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> starts up, it sends a query for the DNSSEC key
for each configured trust anchor to determine whether the key has
changed. In some unusual cases, the query might depend on a zone for
which the server is itself authoritative, and would have failed if it
were sent before the zone was fully loaded. This has now been fixed by
delaying the key queries until all zones have finished loading.
[GL #3673]</p></li>
</ul>
</section>
<section id="id69">
<h3><a class="toc-backref" href="#id222" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id69" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-12">
<h2><a class="toc-backref" href="#id223" role="doc-backlink">Notes for BIND 9.18.12</a><a class="headerlink" href="#notes-for-bind-9-18-12" title="Link to this heading"></a></h2>
<section id="id70">
<h3><a class="toc-backref" href="#id224" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id70" title="Link to this heading"></a></h3>
<ul>
<li><p>Specifying a <code class="docutils literal notranslate"><span class="pre">port</span></code> when configuring source addresses (i.e., as an
argument to <a class="reference internal" href="reference.html#namedconf-statement-query-source" title="namedconf-statement-query-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">query-source</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-query-source-v6" title="namedconf-statement-query-source-v6"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">query-source-v6</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-transfer-source" title="namedconf-statement-transfer-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">transfer-source</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-transfer-source-v6" title="namedconf-statement-transfer-source-v6"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">transfer-source-v6</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-notify-source" title="namedconf-statement-notify-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">notify-source</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-notify-source-v6" title="namedconf-statement-notify-source-v6"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">notify-source-v6</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-parental-source" title="namedconf-statement-parental-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-source</span></code></a>,
or <a class="reference internal" href="reference.html#namedconf-statement-parental-source-v6" title="namedconf-statement-parental-source-v6"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-source-v6</span></code></a>, or in the <code class="docutils literal notranslate"><span class="pre">source</span></code> or <code class="docutils literal notranslate"><span class="pre">source-v6</span></code>
arguments to <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primaries</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-parental-agents" title="namedconf-statement-parental-agents"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-agents</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-also-notify" title="namedconf-statement-also-notify"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">also-notify</span></code></a>, or <a class="reference internal" href="chapter6.html#namedconf-statement-catalog-zones" title="namedconf-statement-catalog-zones"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">catalog-zones</span></code></a>) has been deprecated. In
addition, the <a class="reference internal" href="reference.html#namedconf-statement-use-v4-udp-ports" title="namedconf-statement-use-v4-udp-ports"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">use-v4-udp-ports</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-use-v6-udp-ports" title="namedconf-statement-use-v6-udp-ports"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">use-v6-udp-ports</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-avoid-v4-udp-ports" title="namedconf-statement-avoid-v4-udp-ports"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">avoid-v4-udp-ports</span></code></a>, and <a class="reference internal" href="reference.html#namedconf-statement-avoid-v6-udp-ports" title="namedconf-statement-avoid-v6-udp-ports"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">avoid-v6-udp-ports</span></code></a> options have
also been deprecated.</p>
<p>Warnings are now logged when any of these options are encountered in
<code class="docutils literal notranslate"><span class="pre">named.conf</span></code>. In a future release, they will be made nonfunctional.
[GL #3781]</p>
</li>
</ul>
</section>
<section id="id71">
<h3><a class="toc-backref" href="#id225" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id71" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A constant stream of zone additions and deletions via <code class="docutils literal notranslate"><span class="pre">rndc</span>
<span class="pre">reconfig</span></code> could cause increased memory consumption due to delayed
cleaning of view memory. This has been fixed. [GL #3801]</p></li>
<li><p>The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
NSEC3 hashing, has been improved. [GL #3795]</p></li>
<li><p>Pointing <a class="reference internal" href="reference.html#namedconf-statement-parental-agents" title="namedconf-statement-parental-agents"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-agents</span></code></a> to a resolver did not work because the
RD bit was not set on DS requests. This has been fixed. [GL #3783]</p></li>
<li><p>Building BIND 9 failed when the <code class="docutils literal notranslate"><span class="pre">--enable-dnsrps</span></code> switch for
<code class="docutils literal notranslate"><span class="pre">./configure</span></code> was used. This has been fixed. [GL #3827]</p></li>
</ul>
</section>
<section id="id72">
<h3><a class="toc-backref" href="#id226" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id72" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-11">
<h2><a class="toc-backref" href="#id227" role="doc-backlink">Notes for BIND 9.18.11</a><a class="headerlink" href="#notes-for-bind-9-18-11" title="Link to this heading"></a></h2>
<section id="id73">
<h3><a class="toc-backref" href="#id228" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id73" title="Link to this heading"></a></h3>
<ul>
<li><p>An UPDATE message flood could cause <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to exhaust all
available memory. This flaw was addressed by adding a new
<a class="reference internal" href="reference.html#namedconf-statement-update-quota" title="namedconf-statement-update-quota"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">update-quota</span></code></a> option that controls the maximum number of
outstanding DNS UPDATE messages that <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> can hold in a
queue at any given time (default: 100). <span class="target" id="index-16"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-3094"><strong>(CVE-2022-3094)</strong></a></p>
<p>ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. [GL #3523]</p>
</li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could crash with an assertion failure when an RRSIG
query was received and <a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> was set to a
non-zero value. This has been fixed. <span class="target" id="index-17"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-3736"><strong>(CVE-2022-3736)</strong></a></p>
<p>ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
our attention. [GL #3622]</p>
</li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> running as a resolver with the
<a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> option set to any value greater
than <code class="docutils literal notranslate"><span class="pre">0</span></code> could crash with an assertion failure, when the
<a class="reference internal" href="reference.html#namedconf-statement-recursive-clients" title="namedconf-statement-recursive-clients"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">recursive-clients</span></code></a> soft quota was reached. This has been fixed.
<span class="target" id="index-18"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-3924"><strong>(CVE-2022-3924)</strong></a></p>
<p>ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. [GL #3619]</p>
</li>
</ul>
</section>
<section id="id74">
<h3><a class="toc-backref" href="#id229" role="doc-backlink">New Features</a><a class="headerlink" href="#id74" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The new <a class="reference internal" href="reference.html#namedconf-statement-update-quota" title="namedconf-statement-update-quota"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">update-quota</span></code></a> option can be used to control the number
of simultaneous DNS UPDATE messages that can be processed to update an
authoritative zone on a primary server, or forwarded to the primary
server by a secondary server. The default is 100. A new statistics
counter has also been added to record events when this quota is
exceeded, and the version numbers for the XML and JSON statistics
schemas have been updated. [GL #3523]</p></li>
</ul>
</section>
<section id="id75">
<h3><a class="toc-backref" href="#id230" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id75" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The Differentiated Services Code Point (DSCP) feature in BIND has been
non-operational since the new Network Manager was introduced in BIND
9.16. It is now marked as obsolete, and vestigial code implementing it
has been removed. Configuring DSCP values in <code class="docutils literal notranslate"><span class="pre">named.conf</span></code> now causes
a warning to be logged. [GL #3773]</p></li>
</ul>
</section>
<section id="id76">
<h3><a class="toc-backref" href="#id231" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id76" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones. [GL #3212] [GL #3744]</p></li>
</ul>
</section>
<section id="id77">
<h3><a class="toc-backref" href="#id232" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id77" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A rare assertion failure was fixed in outgoing TCP DNS connection
handling. [GL #3178] [GL #3636]</p></li>
<li><p>Large zone transfers over TLS (XoT) could fail. This has been fixed.
[GL #3772]</p></li>
<li><p>In addition to a previously fixed bug, another similar issue was
discovered where quotas could be erroneously reached for servers,
including any configured forwarders, resulting in SERVFAIL answers
being sent to clients. This has been fixed. [GL #3752]</p></li>
<li><p>In certain query resolution scenarios (e.g. when following CNAME
records), <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> configured to answer from stale cache could
return a SERVFAIL response despite a usable, non-stale answer being
present in the cache. This has been fixed. [GL #3678]</p></li>
<li><p>When an outgoing request timed out, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> would retry up to
three times with the same server instead of trying the next available
name server. This has been fixed. [GL #3637]</p></li>
<li><p>Recently used ADB names and ADB entries (IP addresses) could get
cleaned when ADB was under memory pressure. To mitigate this, only
actual ADB names and ADB entries are now counted (excluding internal
memory structures used for “housekeeping”) and recently used (<= 10
seconds) ADB names and entries are excluded from the overmem memory
cleaner. [GL #3739]</p></li>
<li><p>The “Prohibited” Extended DNS Error was inadvertently set in some
NOERROR responses. This has been fixed. [GL #3743]</p></li>
<li><p>Previously, TLS session resumption could have led to handshake
failures when client certificates were used for authentication (Mutual
TLS). This has been fixed. [GL #3725]</p></li>
</ul>
</section>
<section id="id78">
<h3><a class="toc-backref" href="#id233" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id78" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-10">
<h2><a class="toc-backref" href="#id234" role="doc-backlink">Notes for BIND 9.18.10</a><a class="headerlink" href="#notes-for-bind-9-18-10" title="Link to this heading"></a></h2>
<section id="id79">
<h3><a class="toc-backref" href="#id235" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id79" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>To reduce unnecessary memory consumption in the cache, NXDOMAIN
records are no longer retained past the normal negative cache TTL,
even if <a class="reference internal" href="reference.html#namedconf-statement-stale-cache-enable" title="namedconf-statement-stale-cache-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-cache-enable</span></code></a> is set to <code class="docutils literal notranslate"><span class="pre">yes</span></code>. [GL #3386]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-auto-dnssec" title="namedconf-statement-auto-dnssec"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">auto-dnssec</span></code></a> option has been deprecated and will be removed
in a future BIND 9.19.x release. Please migrate to
<a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>. [GL #3667]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-coresize" title="namedconf-statement-coresize"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">coresize</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-datasize" title="namedconf-statement-datasize"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">datasize</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-files" title="namedconf-statement-files"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">files</span></code></a>, and
<a class="reference internal" href="reference.html#namedconf-statement-stacksize" title="namedconf-statement-stacksize"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stacksize</span></code></a> options have been deprecated. The limits these
options set should be enforced externally, either by manual
configuration (e.g. using <code class="docutils literal notranslate"><span class="pre">ulimit</span></code>) or via the process supervisor
(e.g. <code class="docutils literal notranslate"><span class="pre">systemd</span></code>). [GL #3676]</p></li>
<li><p>Setting alternate local addresses for inbound zone transfers has been
deprecated. The relevant options (<a class="reference internal" href="reference.html#namedconf-statement-alt-transfer-source" title="namedconf-statement-alt-transfer-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">alt-transfer-source</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-alt-transfer-source-v6" title="namedconf-statement-alt-transfer-source-v6"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">alt-transfer-source-v6</span></code></a>, and <a class="reference internal" href="reference.html#namedconf-statement-use-alt-transfer-source" title="namedconf-statement-use-alt-transfer-source"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">use-alt-transfer-source</span></code></a>)
will be removed in a future BIND 9.19.x release. [GL #3694]</p></li>
<li><p>The number of HTTP headers allowed in requests sent to
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>’s statistics channel has been increased from 10 to
100, to accommodate some browsers that send more than 10 headers
by default. [GL #3670]</p></li>
</ul>
</section>
<section id="id80">
<h3><a class="toc-backref" href="#id236" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id80" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could crash due to an assertion failure when an HTTP
connection to the statistics channel was closed prematurely (due to a
connection error, shutdown, etc.). This has been fixed. [GL #3693]</p></li>
<li><p>When a catalog zone was removed from the configuration, in some cases
a dangling pointer could cause the <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> process to crash.
This has been fixed. [GL #3683]</p></li>
<li><p>When a zone was deleted from a server, a key management object related
to that zone was inadvertently kept in memory and only released upon
shutdown. This could lead to constantly increasing memory use on
servers with a high rate of changes affecting the set of zones being
served. This has been fixed. [GL #3727]</p></li>
<li><p>TLS configuration for primary servers was not applied for zones that
were members of a catalog zone. This has been fixed. [GL #3638]</p></li>
<li><p>In certain cases, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> waited for the resolution of
outstanding recursive queries to finish before shutting down. This was
unintended and has been fixed. [GL #3183]</p></li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-host"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">host</span></code></a> and <a class="reference internal" href="manpages.html#std-iscman-nslookup"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nslookup</span></code></a> command-line options setting the
custom TCP/UDP port to use were ignored for ANY queries (which are
sent over TCP). This has been fixed. [GL #3721]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">zone</span> <span class="pre"><name>/<class>:</span> <span class="pre">final</span> <span class="pre">reference</span> <span class="pre">detached</span></code> log message was
moved from the INFO log level to the DEBUG(1) log level to prevent the
<a class="reference internal" href="manpages.html#std-iscman-named-checkzone"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named-checkzone</span></code></a> tool from superfluously logging this message
in non-debug mode. [GL #3707]</p></li>
</ul>
</section>
<section id="id81">
<h3><a class="toc-backref" href="#id237" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id81" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-9">
<h2><a class="toc-backref" href="#id238" role="doc-backlink">Notes for BIND 9.18.9</a><a class="headerlink" href="#notes-for-bind-9-18-9" title="Link to this heading"></a></h2>
<section id="id82">
<h3><a class="toc-backref" href="#id239" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id82" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A crash was fixed that happened when a <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> zone that
used NSEC3 was reconfigured to enable <a class="reference internal" href="reference.html#namedconf-statement-inline-signing" title="namedconf-statement-inline-signing"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">inline-signing</span></code></a>.
[GL #3591]</p></li>
<li><p>In certain resolution scenarios, quotas could be erroneously reached
for servers, including any configured forwarders, resulting in
SERVFAIL answers being sent to clients. This has been fixed.
[GL #3598]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">rpz-ip</span></code> rules in <a class="reference internal" href="reference.html#namedconf-statement-response-policy" title="namedconf-statement-response-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">response-policy</span></code></a> zones could be ineffective
in some cases if a query had the CD (Checking Disabled) bit set to 1.
This has been fixed. [GL #3247]</p></li>
<li><p>Previously, if Internet connectivity issues were experienced during
the initial startup of <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>, a BIND resolver with
<a class="reference internal" href="reference.html#namedconf-statement-dnssec-validation" title="namedconf-statement-dnssec-validation"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-validation</span></code></a> set to <code class="docutils literal notranslate"><span class="pre">auto</span></code> could enter into a state
where it would not recover without stopping <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>, manually
deleting the <code class="docutils literal notranslate"><span class="pre">managed-keys.bind</span></code> and <code class="docutils literal notranslate"><span class="pre">managed-keys.bind.jnl</span></code>
files, and starting <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> again. This has been fixed.
[GL #2895]</p></li>
<li><p>The statistics counter representing the current number of clients
awaiting recursive resolution results (<code class="docutils literal notranslate"><span class="pre">RecursClients</span></code>) could
overflow in certain resolution scenarios. This has been fixed.
[GL #3584]</p></li>
<li><p>Previously, the port in remote servers such as in <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primaries</span></code></a> and
<a class="reference internal" href="reference.html#namedconf-statement-parental-agents" title="namedconf-statement-parental-agents"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">parental-agents</span></code></a> could be wrongly configured because of an
inheritance bug. This has been fixed. [GL #3627]</p></li>
<li><p>Previously, BIND failed to start on Solaris-based systems with
hundreds of CPUs. This has been fixed. [GL #3563]</p></li>
<li><p>When a DNS resource record’s TTL value was equal to the resolver’s
configured <a class="reference internal" href="reference.html#namedconf-statement-prefetch" title="namedconf-statement-prefetch"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">prefetch</span></code></a> “eligibility” value, the record was
erroneously not treated as eligible for prefetching. This has been
fixed. [GL #3603]</p></li>
</ul>
</section>
<section id="id83">
<h3><a class="toc-backref" href="#id240" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id83" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-8">
<h2><a class="toc-backref" href="#id241" role="doc-backlink">Notes for BIND 9.18.8</a><a class="headerlink" href="#notes-for-bind-9-18-8" title="Link to this heading"></a></h2>
<section id="id84">
<h3><a class="toc-backref" href="#id242" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id84" title="Link to this heading"></a></h3>
<ul>
<li><p>Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
a manual configuration change. The following configurations are
affected:</p>
<ul class="simple">
<li><p><a class="reference internal" href="reference.html#namedconf-statement-type primary" title="namedconf-statement-type primary"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">type</span> <span class="pre">primary</span></code></a> zones configured with <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> but
without either <a class="reference internal" href="reference.html#namedconf-statement-allow-update" title="namedconf-statement-allow-update"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">allow-update</span></code></a> or <a class="reference internal" href="reference.html#namedconf-statement-update-policy" title="namedconf-statement-update-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">update-policy</span></code></a>,</p></li>
<li><p><a class="reference internal" href="reference.html#namedconf-statement-type secondary" title="namedconf-statement-type secondary"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">type</span> <span class="pre">secondary</span></code></a> zones configured with <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>.</p></li>
</ul>
<p>In these cases please add <a class="reference internal" href="reference.html#namedconf-statement-inline-signing" title="namedconf-statement-inline-signing"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">inline-signing</span> <span class="pre">yes;</span></code></a> to the individual zone configuration(s). Without
applying this change, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> will fail to start. For more
details, see
<a class="reference external" href="https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing">https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing</a></p>
</li>
<li><p>BIND 9.18 does not support dynamic update forwarding (see
<a class="reference internal" href="reference.html#namedconf-statement-allow-update-forwarding" title="namedconf-statement-allow-update-forwarding"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">allow-update-forwarding</span></code></a>) in conjuction with zone transfers over
TLS (XoT). [GL #3512]</p></li>
<li><p>See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known
issues affecting this BIND 9 branch.</p></li>
</ul>
</section>
<section id="id85">
<h3><a class="toc-backref" href="#id243" role="doc-backlink">New Features</a><a class="headerlink" href="#id85" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Support for parsing and validating the <code class="docutils literal notranslate"><span class="pre">dohpath</span></code> service parameter
in SVCB records was added. [GL #3544]</p></li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now logs the supported cryptographic algorithms during
startup and in the output of <a class="reference internal" href="manpages.html#cmdoption-named-V"><code class="xref std std-option docutils literal notranslate"><span class="pre">named</span> <span class="pre">-V</span></code></a>. [GL #3541]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">recursion</span> <span class="pre">not</span> <span class="pre">available</span></code> and <code class="docutils literal notranslate"><span class="pre">query</span> <span class="pre">(cache)</span> <span class="pre">'...'</span> <span class="pre">denied</span></code> log
messages were extended to include the name of the ACL that caused a
given query to be denied. [GL #3587]</p></li>
</ul>
</section>
<section id="id86">
<h3><a class="toc-backref" href="#id244" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id86" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The ability to use PKCS#11 via engine_pkcs11 has been restored, by
using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
compiled with <code class="docutils literal notranslate"><span class="pre">-DOPENSSL_API_COMPAT=10100</span></code> specified in the CFLAGS
environment variable at compile time. [GL #3578]</p></li>
</ul>
</section>
<section id="id87">
<h3><a class="toc-backref" href="#id245" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id87" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>An assertion failure was fixed in <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> that was caused by
aborting the statistics channel connection while sending statistics
data to the client. [GL #3542]</p></li>
<li><p>Changing just the TSIG key names for primaries in catalog zones’
member zones was not effective. This has been fixed. [GL #3557]</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-7">
<h2><a class="toc-backref" href="#id246" role="doc-backlink">Notes for BIND 9.18.7</a><a class="headerlink" href="#notes-for-bind-9-18-7" title="Link to this heading"></a></h2>
<section id="id88">
<h3><a class="toc-backref" href="#id247" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id88" title="Link to this heading"></a></h3>
<ul>
<li><p>Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> running as a
recursive resolver. This has been fixed. <span class="target" id="index-19"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-2795"><strong>(CVE-2022-2795)</strong></a></p>
<p>ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]</p>
</li>
<li><p>When an HTTP connection was reused to request statistics from the
stats channel, the content length of successive responses could grow
in size past the end of the allocated buffer. This has been fixed.
<span class="target" id="index-20"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-2881"><strong>(CVE-2022-2881)</strong></a> [GL #3493]</p></li>
<li><p>Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
could be externally triggered, when using TKEY records in DH mode with
OpenSSL 3.0.0 and later versions. <span class="target" id="index-21"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-2906"><strong>(CVE-2022-2906)</strong></a> [GL #3491]</p></li>
<li><p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> running as a resolver with the
<a class="reference internal" href="reference.html#namedconf-statement-stale-answer-client-timeout" title="namedconf-statement-stale-answer-client-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-client-timeout</span></code></a> option set to <code class="docutils literal notranslate"><span class="pre">0</span></code> could crash
with an assertion failure, when there was a stale CNAME in the cache
for the incoming query. This has been fixed. <span class="target" id="index-22"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-3080"><strong>(CVE-2022-3080)</strong></a>
[GL #3517]</p></li>
<li><p>Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. <span class="target" id="index-23"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-38178"><strong>(CVE-2022-38178)</strong></a>
[GL #3487]</p></li>
</ul>
</section>
<section id="id89">
<h3><a class="toc-backref" href="#id248" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id89" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name,
to prevent circumventing the limits enforced by RRL. [GL #3459]</p></li>
<li><p>Zones using <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> now require dynamic DNS or
<a class="reference internal" href="reference.html#namedconf-statement-inline-signing" title="namedconf-statement-inline-signing"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">inline-signing</span></code></a> to be configured explicitly. [GL #3381]</p></li>
<li><p>When reconfiguring <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> from using NSEC with an
NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC
until the offending DNSKEY records have been removed from the zone,
then switches to using NSEC3. [GL #3486]</p></li>
<li><p>A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in <a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a> and converting
the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
conversion. [GL #3485]</p></li>
</ul>
</section>
<section id="id90">
<h3><a class="toc-backref" href="#id249" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id90" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]</p></li>
</ul>
</section>
<section id="id91">
<h3><a class="toc-backref" href="#id250" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id91" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-6">
<h2><a class="toc-backref" href="#id251" role="doc-backlink">Notes for BIND 9.18.6</a><a class="headerlink" href="#notes-for-bind-9-18-6" title="Link to this heading"></a></h2>
<section id="id92">
<h3><a class="toc-backref" href="#id252" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id92" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
disabled on systems where they are disallowed by the security policy
(e.g. Red Hat Enterprise Linux 9). Primary zones using those
algorithms need to be migrated to new algorithms prior to running on
these systems, as graceful migration to different DNSSEC algorithms is
not possible when RSASHA1 is disallowed by the operating system.
[GL #3469]</p></li>
<li><p>Log messages related to fetch limiting have been improved to provide
more complete information. Specifically, the final counts of allowed
and spilled fetches are now logged before the counter object is
destroyed. [GL #3461]</p></li>
</ul>
</section>
<section id="id93">
<h3><a class="toc-backref" href="#id253" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id93" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>When running as a validating resolver forwarding all queries to
another resolver, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> could crash with an assertion
failure. These crashes occurred when the configured forwarder sent a
broken DS response and <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> failed its attempts to find a
proper one instead. This has been fixed. [GL #3439]</p></li>
<li><p>Non-dynamic zones that inherit <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> from the
<a class="reference internal" href="reference.html#namedconf-statement-view" title="namedconf-statement-view"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">view</span></code></a> or <a class="reference internal" href="reference.html#namedconf-statement-options" title="namedconf-statement-options"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">options</span></code></a> blocks were not
marked as inline-signed and therefore never scheduled to be re-signed.
This has been fixed. [GL #3438]</p></li>
<li><p>The old <a class="reference internal" href="reference.html#namedconf-statement-max-zone-ttl" title="namedconf-statement-max-zone-ttl"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-zone-ttl</span></code></a> zone option was meant to be superseded by
the <a class="reference internal" href="reference.html#namedconf-statement-max-zone-ttl" title="namedconf-statement-max-zone-ttl"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-zone-ttl</span></code></a> option in <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>; however, the
latter option was not fully effective. This has been corrected: zones
no longer load if they contain TTLs greater than the limit configured
in <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>. For zones with both the old
<a class="reference internal" href="reference.html#namedconf-statement-max-zone-ttl" title="namedconf-statement-max-zone-ttl"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-zone-ttl</span></code></a> option and <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> configured, the
old option is ignored, and a warning is generated. [GL #2918]</p></li>
<li><p><a class="reference internal" href="manpages.html#cmdoption-rndc-arg-dumpdb"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">dumpdb</span> <span class="pre">-expired</span></code></a> was fixed to include
expired RRsets, even if <a class="reference internal" href="reference.html#namedconf-statement-stale-cache-enable" title="namedconf-statement-stale-cache-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-cache-enable</span></code></a> is set to <code class="docutils literal notranslate"><span class="pre">no</span></code> and
the cache-cleaning time window has passed. [GL #3462]</p></li>
</ul>
</section>
<section id="id94">
<h3><a class="toc-backref" href="#id254" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id94" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-5">
<h2><a class="toc-backref" href="#id255" role="doc-backlink">Notes for BIND 9.18.5</a><a class="headerlink" href="#notes-for-bind-9-18-5" title="Link to this heading"></a></h2>
<section id="id95">
<h3><a class="toc-backref" href="#id256" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id95" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The <a class="reference internal" href="manpages.html#cmdoption-dnssec-signzone-H"><code class="xref std std-option docutils literal notranslate"><span class="pre">dnssec-signzone</span> <span class="pre">-H</span></code></a> default value has been changed to 0
additional NSEC3 iterations. This change aligns the
<a class="reference internal" href="manpages.html#std-iscman-dnssec-signzone"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-signzone</span></code></a> default with the default used by the
<a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> feature. At the same
time, documentation about NSEC3 has been aligned with the <a class="reference external" href="https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10">Best
Current Practice</a>. [GL #3395]</p></li>
</ul>
</section>
<section id="id96">
<h3><a class="toc-backref" href="#id257" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id96" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>An assertion failure caused by a TCP connection closing between a
connect (or accept) and a read from a socket has been fixed.
[GL #3400]</p></li>
<li><p>When grafting non-delegated namespace onto delegated namespace,
<a class="reference internal" href="reference.html#namedconf-statement-synth-from-dnssec" title="namedconf-statement-synth-from-dnssec"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">synth-from-dnssec</span></code></a> could incorrectly synthesize non-existence of
records within the non-delegated namespace using NSEC records from
higher zones. [GL #3402]</p></li>
<li><p>Previously, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> immediately returned a SERVFAIL response
to the client when it received a FORMERR response from an
authoritative server during recursive resolution. This has been fixed:
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> acting as a resolver now attempts to contact other
authoritative servers for a given domain when it receives a FORMERR
response from one of them. [GL #3152]</p></li>
<li><p>Previously, <a class="reference internal" href="manpages.html#cmdoption-rndc-arg-reconfig"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">reconfig</span></code></a> did not pick up changes to
<a class="reference internal" href="reference.html#namedconf-statement-endpoints" title="namedconf-statement-endpoints"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">endpoints</span></code></a> statements in <a class="reference internal" href="reference.html#namedconf-statement-http" title="namedconf-statement-http"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">http</span></code></a> blocks. This has been
fixed. [GL #3415]</p></li>
<li><p>It was possible for a catalog zone consumer to process a catalog zone
member zone when there was a configured pre-existing forward-only
forward zone with the same name. This has been fixed. [GL #2506]</p></li>
</ul>
</section>
<section id="id97">
<h3><a class="toc-backref" href="#id258" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id97" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-4">
<h2><a class="toc-backref" href="#id259" role="doc-backlink">Notes for BIND 9.18.4</a><a class="headerlink" href="#notes-for-bind-9-18-4" title="Link to this heading"></a></h2>
<section id="id98">
<h3><a class="toc-backref" href="#id260" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id98" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>New <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> configuration checks have been added to detect
unusual policies, such as missing KSK and/or ZSK and too-short key
lifetimes and re-sign periods. [GL #1611]</p></li>
</ul>
</section>
<section id="id99">
<h3><a class="toc-backref" href="#id261" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id99" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-fetches-per-server" title="namedconf-statement-fetches-per-server"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">fetches-per-server</span></code></a> quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly, so
that the quota for a congested server was always set to 1. This has
been fixed. [GL #3327]</p></li>
<li><p>DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]</p></li>
<li><p>Key files were updated every time the <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> key manager
ran, whether the metadata had changed or not. <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> now
checks whether changes were applied before writing out the key files.
[GL #3302]</p></li>
</ul>
</section>
<section id="id100">
<h3><a class="toc-backref" href="#id262" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id100" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-3">
<h2><a class="toc-backref" href="#id263" role="doc-backlink">Notes for BIND 9.18.3</a><a class="headerlink" href="#notes-for-bind-9-18-3" title="Link to this heading"></a></h2>
<section id="id101">
<h3><a class="toc-backref" href="#id264" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id101" title="Link to this heading"></a></h3>
<ul>
<li><p>Previously, TLS socket objects could be destroyed prematurely, which
triggered assertion failures in <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> instances serving
DNS-over-HTTPS (DoH) clients. This has been fixed.</p>
<p>ISC would like to thank Thomas Amgarten from arcade solutions ag for
bringing this vulnerability to our attention. <span class="target" id="index-24"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-1183"><strong>(CVE-2022-1183)</strong></a>
[GL #3216]</p>
</li>
</ul>
</section>
<section id="id102">
<h3><a class="toc-backref" href="#id265" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id102" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>According to <span class="target" id="index-25"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8310.html"><strong>RFC 8310</strong></a>, Section 8.1, the <code class="docutils literal notranslate"><span class="pre">Subject</span></code> field MUST NOT
be inspected when verifying a remote certificate while establishing a
DNS-over-TLS connection. Only <code class="docutils literal notranslate"><span class="pre">subjectAltName</span></code> must be checked
instead. Unfortunately, some quite old versions of cryptographic
libraries might lack the ability to ignore the <code class="docutils literal notranslate"><span class="pre">Subject</span></code> field. This
should have minimal production-use consequences, as most of the
production-ready certificates issued by certificate authorities will
have <code class="docutils literal notranslate"><span class="pre">subjectAltName</span></code> set. In such cases, the <code class="docutils literal notranslate"><span class="pre">Subject</span></code> field is
ignored. Only old platforms are affected by this, e.g. those supplied
with OpenSSL versions older than 1.1.1. [GL #3163]</p></li>
<li><p>See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known
issues affecting this BIND 9 branch.</p></li>
</ul>
</section>
<section id="id103">
<h3><a class="toc-backref" href="#id266" role="doc-backlink">New Features</a><a class="headerlink" href="#id103" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Catalog Zones schema version 2, as described in the
“DNS Catalog Zones” IETF draft version 5 document, is now supported by
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>. All of the previously supported BIND-specific catalog
zone custom properties (<a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primaries</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-allow-query" title="namedconf-statement-allow-query"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">allow-query</span></code></a>, and
<a class="reference internal" href="reference.html#namedconf-statement-allow-transfer" title="namedconf-statement-allow-transfer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">allow-transfer</span></code></a>), as well as the new Change of Ownership (<code class="docutils literal notranslate"><span class="pre">coo</span></code>)
property, are now implemented. Schema version 1 is still supported,
with some additional validation rules applied from schema version 2:
for example, the <a class="reference internal" href="reference.html#namedconf-statement-version" title="namedconf-statement-version"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">version</span></code></a> property is mandatory, and a member zone
PTR RRset must not contain more than one record. In the event of a
validation error, a corresponding error message is logged to help with
diagnosing the problem. [GL #3221] [GL #3222] [GL #3223]
[GL #3224] [GL #3225]</p></li>
<li><p>Support DNS Extended Errors (<span class="target" id="index-26"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8914.html"><strong>RFC 8914</strong></a>) <code class="docutils literal notranslate"><span class="pre">Stale</span> <span class="pre">Answer</span></code> and
<code class="docutils literal notranslate"><span class="pre">Stale</span> <span class="pre">NXDOMAIN</span> <span class="pre">Answer</span></code> when stale answers are returned from cache.
[GL #2267]</p></li>
<li><p>Add support for remote TLS certificate verification, both to
<a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> and <a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a>, making it possible to implement
Strict and Mutual TLS authentication, as described in <span class="target" id="index-27"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc9103.html"><strong>RFC 9103</strong></a>,
Section 9.3. [GL #3163]</p></li>
</ul>
</section>
<section id="id104">
<h3><a class="toc-backref" href="#id267" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id104" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Previously, CDS and CDNSKEY DELETE records were removed from the zone
when configured with the <code class="docutils literal notranslate"><span class="pre">auto-dnssec</span> <span class="pre">maintain;</span></code> option. This has
been fixed. [GL #2931]</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-2">
<h2><a class="toc-backref" href="#id268" role="doc-backlink">Notes for BIND 9.18.2</a><a class="headerlink" href="#notes-for-bind-9-18-2" title="Link to this heading"></a></h2>
<section id="id105">
<h3><a class="toc-backref" href="#id269" role="doc-backlink">New Features</a><a class="headerlink" href="#id105" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Add a new configuration option <a class="reference internal" href="reference.html#namedconf-statement-reuseport" title="namedconf-statement-reuseport"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">reuseport</span></code></a> to disable load balancing
on sockets in situations where processing of Response Policy Zones
(RPZ), Catalog Zones, or large zone transfers can cause service
disruptions. See the BIND 9 ARM for more detail. [GL #3249]</p></li>
</ul>
</section>
<section id="id106">
<h3><a class="toc-backref" href="#id270" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id106" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Previously, zone maintenance DNS queries retried forever if the
destination server was unreachable. These queries included outgoing
NOTIFY messages, refresh SOA queries, parental DS checks, and stub
zone NS queries. For example, if a zone had any nameservers with IPv6
addresses and a secondary server without IPv6 connectivity, that
server would keep trying to send a growing amount of NOTIFY traffic
over IPv6. This futile traffic was not logged. This excessive retry
behavior has been fixed. [GL #3242]</p></li>
<li><p>A number of crashes and hangs which could be triggered in
<a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a> were identified and addressed. [GL #3020] [GL #3128]
[GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]</p></li>
<li><p>Invalid <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> definitions, where the defined keys did not
cover both KSK and ZSK roles for a given algorithm, were being
accepted. These are now checked, and the <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> is rejected
if both roles are not present for all algorithms in use. [GL #3142]</p></li>
<li><p>Handling of TCP write timeouts has been improved to track the timeout
for each TCP write separately, leading to a faster connection teardown
in case the other party is not reading the data. [GL #3200]</p></li>
</ul>
</section>
<section id="id107">
<h3><a class="toc-backref" href="#id271" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id107" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-1">
<h2><a class="toc-backref" href="#id272" role="doc-backlink">Notes for BIND 9.18.1</a><a class="headerlink" href="#notes-for-bind-9-18-1" title="Link to this heading"></a></h2>
<section id="id108">
<h3><a class="toc-backref" href="#id273" role="doc-backlink">Security Fixes</a><a class="headerlink" href="#id108" title="Link to this heading"></a></h3>
<ul>
<li><p>The rules for acceptance of records into the cache have been tightened
to prevent the possibility of poisoning if forwarders send records
outside the configured bailiwick. <span class="target" id="index-28"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2021-25220"><strong>(CVE-2021-25220)</strong></a></p>
<p>ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
Changgen Zou from Qi An Xin Group Corp. for bringing this
vulnerability to our attention. [GL #2950]</p>
</li>
<li><p>TCP connections with <a class="reference internal" href="reference.html#namedconf-statement-keep-response-order" title="namedconf-statement-keep-response-order"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">keep-response-order</span></code></a> enabled could leave the
TCP sockets in the <code class="docutils literal notranslate"><span class="pre">CLOSE_WAIT</span></code> state when the client did not
properly shut down the connection. <span class="target" id="index-29"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-0396"><strong>(CVE-2022-0396)</strong></a> [GL #3112]</p></li>
<li><p>Lookups involving a DNAME could trigger an assertion failure when
<a class="reference internal" href="reference.html#namedconf-statement-synth-from-dnssec" title="namedconf-statement-synth-from-dnssec"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">synth-from-dnssec</span></code></a> was enabled (which is the default).
<span class="target" id="index-30"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-0635"><strong>(CVE-2022-0635)</strong></a></p>
<p>ISC would like to thank Vincent Levigneron from AFNIC for bringing
this vulnerability to our attention. [GL #3158]</p>
</li>
<li><p>When chasing DS records, a timed-out or artificially delayed fetch
could cause <code class="docutils literal notranslate"><span class="pre">named</span></code> to crash while resuming a DS lookup.
<span class="target" id="index-31"></span><a class="cve reference external" href="https://kb.isc.org/docs/cve-2022-0667"><strong>(CVE-2022-0667)</strong></a> [GL #3129]</p></li>
</ul>
</section>
<section id="id109">
<h3><a class="toc-backref" href="#id274" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id109" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
by a client are now included in the client information sent to DLZ
modules when processing queries. [GL #3082]</p></li>
<li><p>DEBUG(1)-level messages were added when starting and ending the BIND 9
task-exclusive mode that stops normal DNS operation (e.g. for
reconfiguration, interface scans, and other events that require
exclusive access to a shared resource). [GL #3137]</p></li>
<li><p>The limit on the number of simultaneously processed pipelined DNS
queries received over TCP has been removed. Previously, it was capped
at 23 queries processed at the same time. [GL #3141]</p></li>
</ul>
</section>
<section id="id110">
<h3><a class="toc-backref" href="#id275" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id110" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>A failed view configuration during a <code class="docutils literal notranslate"><span class="pre">named</span></code> reconfiguration
procedure could cause inconsistencies in BIND internal structures,
causing a crash or other unexpected errors. This has been fixed.
[GL #3060]</p></li>
<li><p>Previously, <code class="docutils literal notranslate"><span class="pre">named</span></code> logged a “quota reached” message when it hit its
hard quota on the number of connections. That message was accidentally
removed but has now been restored. [GL #3125]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-max-transfer-time-out" title="namedconf-statement-max-transfer-time-out"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-transfer-time-out</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-max-transfer-idle-out" title="namedconf-statement-max-transfer-idle-out"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">max-transfer-idle-out</span></code></a> options
were not implemented when the BIND 9 networking stack was refactored
in 9.16. The missing functionality has been re-implemented and
outgoing zone transfers now time out properly when not progressing.
[GL #1897]</p></li>
<li><p>TCP connections could hang indefinitely if the other party did not
read sent data, causing the TCP write buffers to fill. This has been
fixed by adding a “write” timer. Connections that are hung while
writing now time out after the <a class="reference internal" href="reference.html#namedconf-statement-tcp-idle-timeout" title="namedconf-statement-tcp-idle-timeout"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tcp-idle-timeout</span></code></a> period has
elapsed. [GL #3132]</p></li>
<li><p>Client TCP connections are now closed immediately when data received
cannot be parsed as a valid DNS request. [GL #3149]</p></li>
<li><p>The statistics counter representing the current number of clients
awaiting recursive resolution results (<code class="docutils literal notranslate"><span class="pre">RecursClients</span></code>) could be
miscalculated in certain resolution scenarios, potentially causing the
value of the counter to drop below zero. This has been fixed.
[GL #3147]</p></li>
<li><p>An error in the processing of the <a class="reference internal" href="reference.html#namedconf-statement-blackhole" title="namedconf-statement-blackhole"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">blackhole</span></code></a> ACL could cause some
DNS requests sent by <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to fail - for example, zone
transfer requests and SOA refresh queries - if the destination address
or prefix was specifically excluded from the ACL using <code class="docutils literal notranslate"><span class="pre">!</span></code>, or if
the ACL was set to <code class="docutils literal notranslate"><span class="pre">none</span></code>. This has now been fixed. <a class="reference internal" href="reference.html#namedconf-statement-blackhole" title="namedconf-statement-blackhole"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">blackhole</span></code></a>
worked correctly when it was left unset, or if only positive-match
elements were included. [GL #3157]</p></li>
<li><p>Build errors were introduced in some DLZ modules due to an incomplete
change in the previous release. This has been fixed. [GL #3111]</p></li>
</ul>
</section>
<section id="id111">
<h3><a class="toc-backref" href="#id276" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id111" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>There are no new known issues with this release. See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known issues affecting this
BIND 9 branch.</p></li>
</ul>
</section>
</section>
<section id="notes-for-bind-9-18-0">
<h2><a class="toc-backref" href="#id277" role="doc-backlink">Notes for BIND 9.18.0</a><a class="headerlink" href="#notes-for-bind-9-18-0" title="Link to this heading"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>This section only lists changes since BIND 9.16.25, the most
recent release on the previous stable branch of BIND before
the publication of BIND 9.18.0.</p>
</div>
<section id="id112">
<h3><a class="toc-backref" href="#id278" role="doc-backlink">Known Issues</a><a class="headerlink" href="#id112" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">rndc</span></code> has been updated to use the new BIND network manager API. As
the network manager currently has no support for UNIX-domain sockets,
those cannot now be used with <code class="docutils literal notranslate"><span class="pre">rndc</span></code>. This will be addressed in a
future release, either by restoring UNIX-domain socket support or by
formally declaring them to be obsolete in the control channel.
[GL #1759]</p></li>
<li><p>See <a class="reference internal" href="#relnotes-known-issues"><span class="std std-ref">above</span></a> for a list of all known
issues affecting this BIND 9 branch.</p></li>
</ul>
</section>
<section id="id113">
<h3><a class="toc-backref" href="#id279" role="doc-backlink">New Features</a><a class="headerlink" href="#id113" title="Link to this heading"></a></h3>
<ul>
<li><p><code class="docutils literal notranslate"><span class="pre">named</span></code> now supports securing DNS traffic using Transport Layer
Security (TLS). TLS is used by both DNS over TLS (DoT) and
DNS over HTTPS (DoH).</p>
<p><code class="docutils literal notranslate"><span class="pre">named</span></code> can use either a certificate provided by the user or an
ephemeral certificate generated automatically upon startup. The
<a class="reference internal" href="reference.html#namedconf-statement-tls" title="namedconf-statement-tls"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tls</span></code></a> block allows fine-grained control over TLS
parameters. [GL #1840] [GL #2795] [GL #2796]</p>
<p>For debugging purposes, <code class="docutils literal notranslate"><span class="pre">named</span></code> logs TLS pre-master secrets when the
<code class="docutils literal notranslate"><span class="pre">SSLKEYLOGFILE</span></code> environment variable is set. This enables
troubleshooting of issues with encrypted traffic. [GL #2723]</p>
</li>
<li><p>Support for DNS over TLS (DoT) has been added to <code class="docutils literal notranslate"><span class="pre">named</span></code>. Network
interfaces for DoT are configured using the existing
<a class="reference internal" href="reference.html#interfaces"><span class="std std-ref">listen-on</span></a> directive, while TLS parameters are
configured using the new <a class="reference internal" href="reference.html#namedconf-statement-tls" title="namedconf-statement-tls"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tls</span></code></a> block. [GL #1840]</p>
<p><code class="docutils literal notranslate"><span class="pre">named</span></code> supports <span class="target" id="index-32"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc9103.html"><strong>zone transfers over TLS</strong></a>
(XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.</p>
<p>Incoming zone transfers over TLS are enabled by adding the <a class="reference internal" href="reference.html#namedconf-statement-tls" title="namedconf-statement-tls"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tls</span></code></a>
keyword, followed by either the name of a previously configured
<a class="reference internal" href="reference.html#namedconf-statement-tls" title="namedconf-statement-tls"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tls</span></code></a> block or the string <code class="docutils literal notranslate"><span class="pre">ephemeral</span></code>, to the
addresses included in <a class="reference internal" href="reference.html#namedconf-statement-primaries" title="namedconf-statement-primaries"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primaries</span></code></a> lists.
[GL #2392]</p>
<p>Similarly, the <a class="reference internal" href="reference.html#namedconf-statement-allow-transfer" title="namedconf-statement-allow-transfer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">allow-transfer</span></code></a> option
was extended to accept additional <code class="docutils literal notranslate"><span class="pre">port</span></code> and <code class="docutils literal notranslate"><span class="pre">transport</span></code>
parameters, to further restrict outgoing zone transfers to a
particular port and/or DNS transport protocol. [GL #2776]</p>
<p>Note that zone transfers over TLS (XoT) require the <code class="docutils literal notranslate"><span class="pre">dot</span></code>
Application-Layer Protocol Negotiation (ALPN) token to be selected in
the TLS handshake, as required by <span class="target" id="index-33"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc9103.html"><strong>RFC 9103</strong></a> section 7.1. This might
cause issues with non-compliant XoT servers. [GL #2794]</p>
<p>The <code class="docutils literal notranslate"><span class="pre">dig</span></code> tool is now able to send DoT queries (<code class="docutils literal notranslate"><span class="pre">+tls</span></code> option).
[GL #1840]</p>
<p>There is currently no support for forwarding DNS queries via DoT.</p>
</li>
<li><p>Support for DNS over HTTPS (DoH) has been added to <code class="docutils literal notranslate"><span class="pre">named</span></code>. Both
TLS-encrypted and unencrypted connections are supported (the latter
may be used to offload encryption to other software). Network
interfaces for DoH are configured using the existing
<a class="reference internal" href="reference.html#interfaces"><span class="std std-ref">listen-on</span></a> directive, while TLS parameters are
configured using the new <a class="reference internal" href="reference.html#namedconf-statement-tls" title="namedconf-statement-tls"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tls</span></code></a> block and HTTP
parameters are configured using the new <a class="reference internal" href="reference.html#namedconf-statement-http" title="namedconf-statement-http"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">http</span></code></a> block.
[GL #1144] [GL #2472]</p>
<p>Server-side quotas on both the number of concurrent DoH connections
and the number of active HTTP/2 streams per connection can be
configured using the global <a class="reference internal" href="reference.html#namedconf-statement-http-listener-clients" title="namedconf-statement-http-listener-clients"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">http-listener-clients</span></code></a> and
<a class="reference internal" href="reference.html#namedconf-statement-http-streams-per-connection" title="namedconf-statement-http-streams-per-connection"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">http-streams-per-connection</span></code></a> options, or the <a class="reference internal" href="reference.html#namedconf-statement-listener-clients" title="namedconf-statement-listener-clients"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">listener-clients</span></code></a>
and <a class="reference internal" href="reference.html#namedconf-statement-streams-per-connection" title="namedconf-statement-streams-per-connection"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">streams-per-connection</span></code></a> parameters in an
<a class="reference internal" href="reference.html#namedconf-statement-http" title="namedconf-statement-http"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">http</span> <span class="pre">block</span></code></a>. [GL #2809]</p>
<p>The <code class="docutils literal notranslate"><span class="pre">dig</span></code> tool is now able to send DoH queries (<code class="docutils literal notranslate"><span class="pre">+https</span></code> option).
[GL #1641]</p>
<p>There is currently no support for forwarding DNS queries via DoH.</p>
<p>DoH support can be disabled at compile time using a new build-time
option, <code class="docutils literal notranslate"><span class="pre">--disable-doh</span></code>. This allows BIND 9 to be built without the
<a class="reference external" href="https://nghttp2.org/">libnghttp2</a> library. [GL #2478]</p>
</li>
<li><p>A new logging category, <code class="docutils literal notranslate"><span class="pre">rpz-passthru</span></code>, was added, which allows RPZ
passthru actions to be logged into a separate channel. [GL #54]</p></li>
<li><p>A new option, <code class="docutils literal notranslate"><span class="pre">nsdname-wait-recurse</span></code>, has been added to the
<a class="reference internal" href="reference.html#namedconf-statement-response-policy" title="namedconf-statement-response-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">response-policy</span></code></a> clause in the configuration file. When set to
<code class="docutils literal notranslate"><span class="pre">no</span></code>, RPZ NSDNAME rules are only applied if the authoritative
nameservers for the query name have been looked up and are present in
the cache. If this information is not present, the RPZ NSDNAME rules
are ignored, but the information is looked up in the background and
applied to subsequent queries. The default is <code class="docutils literal notranslate"><span class="pre">yes</span></code>, meaning that
RPZ NSDNAME rules should always be applied, even if the information
needs to be looked up first. [GL #1138]</p></li>
<li><p>Support for HTTPS and SVCB record types now also includes ADDITIONAL
section processing for these record types. [GL #1132]</p></li>
<li><p>New configuration options, <a class="reference internal" href="reference.html#namedconf-statement-tcp-receive-buffer" title="namedconf-statement-tcp-receive-buffer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tcp-receive-buffer</span></code></a>,
<a class="reference internal" href="reference.html#namedconf-statement-tcp-send-buffer" title="namedconf-statement-tcp-send-buffer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">tcp-send-buffer</span></code></a>, <a class="reference internal" href="reference.html#namedconf-statement-udp-receive-buffer" title="namedconf-statement-udp-receive-buffer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">udp-receive-buffer</span></code></a>, and <a class="reference internal" href="reference.html#namedconf-statement-udp-send-buffer" title="namedconf-statement-udp-send-buffer"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">udp-send-buffer</span></code></a>,
have been added. These options allow the operator to fine-tune the
receiving and sending buffers in the operating system. On busy
servers, increasing the size of the receive buffers can prevent the
server from dropping packets during short traffic spikes, and
decreasing it can prevent the server from becoming clogged with
queries that are too old and have already timed out. [GL #2313]</p></li>
<li><p>New finer-grained <a class="reference internal" href="reference.html#namedconf-statement-update-policy" title="namedconf-statement-update-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">update-policy</span></code></a> rule types,
<code class="docutils literal notranslate"><span class="pre">krb5-subdomain-self-rhs</span></code> and <code class="docutils literal notranslate"><span class="pre">ms-subdomain-self-rhs</span></code>, were added.
These rule types restrict updates to SRV and PTR records so that their
content can only match the machine name embedded in the Kerberos
principal making the change. [GL #481]</p></li>
<li><p>Per-type record count limits can now be specified in <a class="reference internal" href="reference.html#namedconf-statement-update-policy" title="namedconf-statement-update-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">update-policy</span></code></a>
statements, to limit the number of records of a particular type that
can be added to a domain name via dynamic update. [GL #1657]</p></li>
<li><p>Support for OpenSSL 3.0 APIs was added. [GL #2843] [GL #3057]</p></li>
<li><p>Extended DNS Error Code 18 - Prohibited (see <span class="target" id="index-34"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8914.html"><strong>RFC 8914</strong></a> section
4.19) is now set if query access is denied to the specific client.
[GL #1836]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ipv4only.arpa</span></code> is now served when DNS64 is configured. [GL #385]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">dig</span></code> can now report the DNS64 prefixes in use (<code class="docutils literal notranslate"><span class="pre">+dns64prefix</span></code>).
This is useful when the host on which <code class="docutils literal notranslate"><span class="pre">dig</span></code> is run is behind an
IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
Service). [GL #1154]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">dig</span></code> output now includes the transport protocol used (UDP, TCP,
TLS, HTTPS). [GL #1144] [GL #1816]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">dig</span> <span class="pre">+qid=<num></span></code> allows the user to specify a particular query ID
for testing purposes. [GL #1851]</p></li>
</ul>
</section>
<section id="id114">
<h3><a class="toc-backref" href="#id280" role="doc-backlink">Removed Features</a><a class="headerlink" href="#id114" title="Link to this heading"></a></h3>
<ul>
<li><p>Support for the <code class="docutils literal notranslate"><span class="pre">map</span></code> zone file format (<code class="docutils literal notranslate"><span class="pre">masterfile-format</span> <span class="pre">map;</span></code>)
has been removed. Users relying on the <code class="docutils literal notranslate"><span class="pre">map</span></code> format are advised to
convert their zones to the <code class="docutils literal notranslate"><span class="pre">raw</span></code> format with <code class="docutils literal notranslate"><span class="pre">named-compilezone</span></code>
and change the configuration appropriately prior to upgrading BIND 9.
[GL #2882]</p></li>
<li><p>Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
enabled in <code class="docutils literal notranslate"><span class="pre">named</span></code> at build time have been removed. New-style DLZ
modules should be used as a replacement. [GL #2814]</p></li>
<li><p>Support for compiling and running BIND 9 natively on Windows has been
completely removed. The last stable release branch that has working
Windows support is BIND 9.16. [GL #2690]</p></li>
<li><p>Native PKCS#11 support has been removed. [GL #2691]</p>
<p>When built against OpenSSL 1.x, BIND 9 now
<a class="reference internal" href="chapter5.html#pkcs11"><span class="std std-ref">uses engine_pkcs11 for PKCS#11</span></a>. engine_pkcs11 is an
OpenSSL engine which is part of the <a class="reference external" href="https://github.com/OpenSC/libp11">OpenSC</a> project.</p>
<p>As support for so-called “engines” was deprecated in OpenSSL 3.x,
compiling BIND 9 against an OpenSSL 3.x build which does not retain
support for deprecated APIs makes it impossible to use PKCS#11 in BIND
9. A replacement for engine_pkcs11 which employs the new “provider”
approach introduced in OpenSSL 3.x is in the making. [GL #2843]</p>
</li>
<li><p>The utilities <code class="docutils literal notranslate"><span class="pre">dnssec-checkds</span></code>, <code class="docutils literal notranslate"><span class="pre">dnssec-coverage</span></code>, and
<code class="docutils literal notranslate"><span class="pre">dnssec-keymgr</span></code> have been removed from the BIND distribution, as well
as the <code class="docutils literal notranslate"><span class="pre">isc</span></code> Python package. DNSSEC features formerly provided
by these utilities are now integrated into <code class="docutils literal notranslate"><span class="pre">named</span></code>.
See the <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> configuration option
for more details.</p>
<p>An archival version of the Python utilities has been moved to
the repository <a class="reference external" href="https://gitlab.isc.org/isc-projects/dnssec-keymgr/">https://gitlab.isc.org/isc-projects/dnssec-keymgr/</a>.
Please note these tools are no longer supported by ISC.</p>
</li>
<li><p>Since the old socket manager API has been removed, “socketmgr”
statistics are no longer reported by the
<a class="reference internal" href="reference.html#namedconf-statement-statistics-channels" title="namedconf-statement-statistics-channels"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">statistics-channels</span></code></a>. [GL #2926]</p></li>
<li><p>The <a class="reference internal" href="reference.html#namedconf-statement-glue-cache" title="namedconf-statement-glue-cache"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">glue-cache</span></code></a> <em>option</em> has been marked as deprecated. The glue
cache <em>feature</em> still works and will be permanently <em>enabled</em> in a
future release. [GL #2146]</p></li>
<li><p>A number of non-working configuration options that had been marked as
obsolete in previous releases have now been removed completely. Using
any of the following options is now considered a configuration
failure: <code class="docutils literal notranslate"><span class="pre">acache-cleaning-interval</span></code>, <code class="docutils literal notranslate"><span class="pre">acache-enable</span></code>,
<code class="docutils literal notranslate"><span class="pre">additional-from-auth</span></code>, <code class="docutils literal notranslate"><span class="pre">additional-from-cache</span></code>,
<code class="docutils literal notranslate"><span class="pre">allow-v6-synthesis</span></code>, <code class="docutils literal notranslate"><span class="pre">cleaning-interval</span></code>, <code class="docutils literal notranslate"><span class="pre">dnssec-enable</span></code>,
<code class="docutils literal notranslate"><span class="pre">dnssec-lookaside</span></code>, <code class="docutils literal notranslate"><span class="pre">filter-aaaa</span></code>, <code class="docutils literal notranslate"><span class="pre">filter-aaaa-on-v4</span></code>,
<code class="docutils literal notranslate"><span class="pre">filter-aaaa-on-v6</span></code>, <code class="docutils literal notranslate"><span class="pre">geoip-use-ecs</span></code>, <code class="docutils literal notranslate"><span class="pre">lwres</span></code>,
<code class="docutils literal notranslate"><span class="pre">max-acache-size</span></code>, <code class="docutils literal notranslate"><span class="pre">nosit-udp-size</span></code>, <code class="docutils literal notranslate"><span class="pre">queryport-pool-ports</span></code>,
<code class="docutils literal notranslate"><span class="pre">queryport-pool-updateinterval</span></code>, <code class="docutils literal notranslate"><span class="pre">request-sit</span></code>, <code class="docutils literal notranslate"><span class="pre">sit-secret</span></code>,
<code class="docutils literal notranslate"><span class="pre">support-ixfr</span></code>, <code class="docutils literal notranslate"><span class="pre">use-queryport-pool</span></code>, <code class="docutils literal notranslate"><span class="pre">use-ixfr</span></code>. [GL #1086]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">dig</span></code> option <code class="docutils literal notranslate"><span class="pre">+unexpected</span></code> has been removed. [GL #2140]</p></li>
<li><p>IPv6 sockets are now explicitly restricted to sending and receiving
IPv6 packets only. As this breaks the <code class="docutils literal notranslate"><span class="pre">+mapped</span></code> option for <code class="docutils literal notranslate"><span class="pre">dig</span></code>,
the option has been removed. [GL #3093]</p></li>
<li><p>Disable and disallow static linking of BIND 9 binaries and libraries
as BIND 9 modules require <code class="docutils literal notranslate"><span class="pre">dlopen()</span></code> support and static linking also
prevents using security features like read-only relocations (RELRO) or
address space layout randomization (ASLR) which are important for
programs that interact with the network and process arbitrary user
input. [GL #1933]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">--with-gperftools-profiler</span></code> <code class="docutils literal notranslate"><span class="pre">configure</span></code> option was removed.
To use the gperftools profiler, the <code class="docutils literal notranslate"><span class="pre">HAVE_GPERFTOOLS_PROFILER</span></code> macro
now needs to be manually set in <code class="docutils literal notranslate"><span class="pre">CFLAGS</span></code> and <code class="docutils literal notranslate"><span class="pre">-lprofiler</span></code> needs to
be present in <code class="docutils literal notranslate"><span class="pre">LDFLAGS</span></code>. [GL !4045]</p></li>
</ul>
</section>
<section id="id115">
<h3><a class="toc-backref" href="#id281" role="doc-backlink">Feature Changes</a><a class="headerlink" href="#id115" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Aggressive Use of DNSSEC-Validated Cache (<a class="reference internal" href="reference.html#namedconf-statement-synth-from-dnssec" title="namedconf-statement-synth-from-dnssec"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">synth-from-dnssec</span></code></a>, see
<span class="target" id="index-35"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc8198.html"><strong>RFC 8198</strong></a>) is now enabled by default again, after having been
disabled in BIND 9.14.8. The implementation of this feature was
reworked to achieve better efficiency and tuned to ignore certain
types of broken NSEC records. Negative answer synthesis is currently
only supported for zones using NSEC. [GL #1265]</p></li>
<li><p>The default NSEC3 parameters for <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> were updated to no
extra SHA-1 iterations and no salt (<code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span> <span class="pre">1</span> <span class="pre">0</span> <span class="pre">0</span> <span class="pre">-</span></code>). This
change is in line with the <a class="reference external" href="https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02">latest NSEC3 recommendations</a>.
[GL #2956]</p></li>
<li><p>The default for <a class="reference internal" href="reference.html#namedconf-statement-dnssec-dnskey-kskonly" title="namedconf-statement-dnssec-dnskey-kskonly"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-dnskey-kskonly</span></code></a> was changed to <code class="docutils literal notranslate"><span class="pre">yes</span></code>. This
means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
the KSK by default. The additional signatures prepared using the ZSK
when the option is set to <code class="docutils literal notranslate"><span class="pre">no</span></code> add to the DNS response payload
without offering added value. [GL #1316]</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">dnssec-cds</span></code> now only generates SHA-2 DS records by default and
avoids copying deprecated SHA-1 records from a child zone to its
delegation in the parent. If the child zone does not publish SHA-2 CDS
records, <code class="docutils literal notranslate"><span class="pre">dnssec-cds</span></code> will generate them from the CDNSKEY records.
The <code class="docutils literal notranslate"><span class="pre">-a</span> <span class="pre">algorithm</span></code> option now affects the process of generating DS
digest records from both CDS and CDNSKEY records. Thanks to Tony
Finch. [GL #2871]</p></li>
<li><p>Previously, <code class="docutils literal notranslate"><span class="pre">named</span></code> accepted FORMERR responses both with and without
an OPT record, as an indication that a given server did not support
EDNS. To implement full compliance with <span class="target" id="index-36"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6891.html"><strong>RFC 6891</strong></a>, only FORMERR
responses without an OPT record are now accepted. This intentionally
breaks communication with servers that do not support EDNS and that
incorrectly echo back the query message with the RCODE field set to
FORMERR and the QR bit set to 1. [GL #2249]</p></li>
<li><p>The question section is now checked when processing AXFR, IXFR, and
SOA replies while transferring a zone in. [GL #1683]</p></li>
<li><p>DNS Flag Day 2020: the EDNS buffer size probing code, which made the
resolver adjust the EDNS buffer size used for outgoing queries based
on the successful query responses and timeouts observed, was removed.
The resolver now always uses the EDNS buffer size set in
<a class="reference internal" href="reference.html#namedconf-statement-edns-udp-size" title="namedconf-statement-edns-udp-size"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">edns-udp-size</span></code></a> for all outgoing queries. [GL #2183]</p></li>
<li><p>Keeping stale answers in cache (<a class="reference internal" href="reference.html#namedconf-statement-stale-cache-enable" title="namedconf-statement-stale-cache-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-cache-enable</span></code></a>) has been
disabled by default. [GL #1712]</p></li>
<li><p>Overall memory use by <code class="docutils literal notranslate"><span class="pre">named</span></code> has been optimized and significantly
reduced, especially for resolver workloads. [GL #2398] [GL #3048]</p></li>
<li><p>Memory allocation is now based on the memory allocation API provided
by the <a class="reference external" href="http://jemalloc.net/">jemalloc</a> library, on platforms where it is available. Use of
this library is now recommended when building BIND 9; although it is
optional, it is enabled by default. [GL #2433]</p></li>
<li><p>Internal data structures maintained for each cache database are now
grown incrementally when they need to be expanded. This helps maintain
a steady response rate on a loaded resolver while these internal data
structures are resized. [GL #2941]</p></li>
<li><p>The interface handling code has been refactored to use fewer
resources, which should lead to less memory fragmentation and better
startup performance. [GL #2433]</p></li>
<li><p>When reporting zone types in the statistics channel, the terms
<a class="reference internal" href="reference.html#namedconf-statement-type primary" title="namedconf-statement-type primary"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">primary</span></code></a> and <a class="reference internal" href="reference.html#namedconf-statement-type secondary" title="namedconf-statement-type secondary"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">secondary</span></code></a> are now used instead of <code class="docutils literal notranslate"><span class="pre">master</span></code> and
<code class="docutils literal notranslate"><span class="pre">slave</span></code>, respectively. [GL #1944]</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">nta</span> <span class="pre">-dump</span></code> and <code class="docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">secroots</span></code> commands now both include
<a class="reference internal" href="reference.html#namedconf-statement-validate-except" title="namedconf-statement-validate-except"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">validate-except</span></code></a> entries when listing negative trust anchors. These
are indicated by the keyword <code class="docutils literal notranslate"><span class="pre">permanent</span></code> in place of the expiry
date. [GL #1532]</p></li>
<li><p>The output of <code class="docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">serve-stale</span> <span class="pre">status</span></code> has been clarified. It now
explicitly reports whether retention of stale data in the cache is
enabled (<a class="reference internal" href="reference.html#namedconf-statement-stale-cache-enable" title="namedconf-statement-stale-cache-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-cache-enable</span></code></a>), and whether returning such data in
responses is enabled (<a class="reference internal" href="reference.html#namedconf-statement-stale-answer-enable" title="namedconf-statement-stale-answer-enable"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">stale-answer-enable</span></code></a>). [GL #2742]</p></li>
<li><p>Previously, using <code class="docutils literal notranslate"><span class="pre">dig</span> <span class="pre">+bufsize=0</span></code> had the side effect of disabling
EDNS, and there was no way to test the remote server’s behavior when
it had received a packet with EDNS0 buffer size set to 0. This is no
longer the case; <code class="docutils literal notranslate"><span class="pre">dig</span> <span class="pre">+bufsize=0</span></code> now sends a DNS message with EDNS
version 0 and buffer size set to 0. To disable EDNS, use <code class="docutils literal notranslate"><span class="pre">dig</span>
<span class="pre">+noedns</span></code>. [GL #2054]</p></li>
<li><p>BIND 9 binaries which are neither daemons nor administrative programs
were moved to <code class="docutils literal notranslate"><span class="pre">$bindir</span></code>. Only <code class="docutils literal notranslate"><span class="pre">ddns-confgen</span></code>, <code class="docutils literal notranslate"><span class="pre">named</span></code>, <code class="docutils literal notranslate"><span class="pre">rndc</span></code>,
<code class="docutils literal notranslate"><span class="pre">rndc-confgen</span></code>, and <code class="docutils literal notranslate"><span class="pre">tsig-confgen</span></code> were left in <code class="docutils literal notranslate"><span class="pre">$sbindir</span></code>.
[GL #1724]</p></li>
<li><p>The BIND 9 build system has been changed to use a typical
autoconf+automake+libtool stack. This should not make any difference
for people building BIND 9 from release tarballs, but when building
BIND 9 from the Git repository, <code class="docutils literal notranslate"><span class="pre">autoreconf</span> <span class="pre">-fi</span></code> needs to be run
first. Extra attention is also needed when using non-standard
<code class="docutils literal notranslate"><span class="pre">configure</span></code> options. [GL #4]</p></li>
</ul>
</section>
<section id="id116">
<h3><a class="toc-backref" href="#id282" role="doc-backlink">Bug Fixes</a><a class="headerlink" href="#id116" title="Link to this heading"></a></h3>
<ul class="simple">
<li><p>Log files using <code class="docutils literal notranslate"><span class="pre">timestamp</span></code>-style suffixes were not always correctly
removed when the number of files exceeded the limit set by
<code class="docutils literal notranslate"><span class="pre">versions</span></code>. This has been fixed. [GL #828]</p></li>
</ul>
</section>
</section>
<section id="license">
<span id="relnotes-license"></span><h2><a class="toc-backref" href="#id283" role="doc-backlink">License</a><a class="headerlink" href="#license" title="Link to this heading"></a></h2>
<p>BIND 9 is open source software licensed under the terms of the Mozilla Public
License, version 2.0 (see the <code class="docutils literal notranslate"><span class="pre">COPYING</span></code> file for the full text).</p>
<p>Those wishing to discuss license compliance may contact ISC at
<a class="reference external" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a>.</p>
</section>
<section id="end-of-life">
<h2><a class="toc-backref" href="#id284" role="doc-backlink">End of Life</a><a class="headerlink" href="#end-of-life" title="Link to this heading"></a></h2>
<p>BIND 9.18 (Extended Support Version) will be supported until at least
December, 2025. See <a class="reference external" href="https://kb.isc.org/docs/aa-00896">https://kb.isc.org/docs/aa-00896</a> for details of
ISC’s software support policy.</p>
</section>
<section id="thank-you">
<h2><a class="toc-backref" href="#id285" role="doc-backlink">Thank You</a><a class="headerlink" href="#thank-you" title="Link to this heading"></a></h2>
<p>Thank you to everyone who assisted us in making this release possible.</p>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="chapter10.html" class="btn btn-neutral float-left" title="10. Building BIND 9" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="changelog.html" class="btn btn-neutral float-right" title="Changelog" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>© Copyright 2025, Internet Systems Consortium.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>