Release Notes 

Contents

Introduction 

BIND 9.18 is a stable branch, suitable for production use. This document summarizes significant changes since the last production release on that branch.

Supported Platforms 

See the Supported Platforms section in the BIND Resource Requirements chapter.

Download 

The latest versions of BIND 9 software can always be found at https://www.isc.org/download/. There you will find additional information about each release, and source code.

Notes for BIND 9.18.3 

Security Fixes 

Previously, TLS socket objects could be destroyed prematurely, which triggered assertion failures in named instances serving DNS-over-HTTPS (DoH) clients. This has been fixed.

ISC would like to thank Thomas Amgarten from arcade solutions ag for bringing this vulnerability to our attention. (CVE-2022-1183) [GL #3216]

Known Issues 

According to RFC 8310, Section 8.1, the Subject field MUST NOT be inspected when verifying a remote certificate while establishing a DNS-over-TLS connection. Only subjectAltName must be checked instead. Unfortunately, some quite old versions of cryptographic libraries might lack the ability to ignore the Subject field. This should have minimal production-use consequences, as most of the production-ready certificates issued by certificate authorities will have subjectAltName set. In such cases, the Subject field is ignored. Only old platforms are affected by this, e.g. those supplied with OpenSSL versions older than 1.1.1. [GL #3163]

New Features 

Catalog Zones schema version 2, as described in the “DNS Catalog Zones” IETF draft version 5 document, is now supported by named. All of the previously supported BIND-specific catalog zone custom properties (primaries, allow-query, and allow-transfer), as well as the new Change of Ownership (coo) property, are now implemented. Schema version 1 is still supported, with some additional validation rules applied from schema version 2: for example, the version property is mandatory, and a member zone PTR RRset must not contain more than one record. In the event of a validation error, a corresponding error message is logged to help with diagnosing the problem. [GL #3221] [GL #3222] [GL #3223] [GL #3224] [GL #3225]
Support DNS Extended Errors (RFC 8914) Stale Answer and Stale NXDOMAIN Answer when stale answers are returned from cache. [GL #2267]
Add support for remote TLS certificate verification, both to named and dig, making it possible to implement Strict and Mutual TLS authentication, as described in RFC 9103, Section 9.3. [GL #3163]

Bug Fixes 

Previously, CDS and CDNSKEY DELETE records were removed from the zone when configured with the auto-dnssec maintain; option. This has been fixed. [GL #2931]

Notes for BIND 9.18.2 

New Features 

Add a new configuration option reuseport to disable load balancing on sockets in situations where processing of Response Policy Zones (RPZ), Catalog Zones, or large zone transfers can cause service disruptions. See the BIND 9 ARM for more detail. [GL #3249]

Bug Fixes 

Previously, zone maintenance DNS queries retried forever if the destination server was unreachable. These queries included outgoing NOTIFY messages, refresh SOA queries, parental DS checks, and stub zone NS queries. For example, if a zone had any nameservers with IPv6 addresses and a secondary server without IPv6 connectivity, that server would keep trying to send a growing amount of NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive retry behavior has been fixed. [GL #3242]
A number of crashes and hangs which could be triggered in dig were identified and addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]
Invalid dnssec-policy definitions, where the defined keys did not cover both KSK and ZSK roles for a given algorithm, were being accepted. These are now checked, and the dnssec-policy is rejected if both roles are not present for all algorithms in use. [GL #3142]
Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. [GL #3200]

Notes for BIND 9.18.1 

Security Fixes 

The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)

ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]
Lookups involving a DNAME could trigger an assertion failure when synth-from-dnssec was enabled (which is the default). (CVE-2022-0635)

ISC would like to thank Vincent Levigneron from AFNIC for bringing this vulnerability to our attention. [GL #3158]
When chasing DS records, a timed-out or artificially delayed fetch could cause named to crash while resuming a DS lookup. (CVE-2022-0667) [GL #3129]

Feature Changes 

The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent by a client are now included in the client information sent to DLZ modules when processing queries. [GL #3082]
DEBUG(1)-level messages were added when starting and ending the BIND 9 task-exclusive mode that stops normal DNS operation (e.g. for reconfiguration, interface scans, and other events that require exclusive access to a shared resource). [GL #3137]
The limit on the number of simultaneously processed pipelined DNS queries received over TCP has been removed. Previously, it was capped at 23 queries processed at the same time. [GL #3141]

Bug Fixes 

A failed view configuration during a named reconfiguration procedure could cause inconsistencies in BIND internal structures, causing a crash or other unexpected errors. This has been fixed. [GL #3060]
Previously, named logged a “quota reached” message when it hit its hard quota on the number of connections. That message was accidentally removed but has now been restored. [GL #3125]
The max-transfer-time-out and max-transfer-idle-out options were not implemented when the BIND 9 networking stack was refactored in 9.16. The missing functionality has been re-implemented and outgoing zone transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not read sent data, causing the TCP write buffers to fill. This has been fixed by adding a “write” timer. Connections that are hung while writing now time out after the tcp-idle-timeout period has elapsed. [GL #3132]
Client TCP connections are now closed immediately when data received cannot be parsed as a valid DNS request. [GL #3149]
The statistics counter representing the current number of clients awaiting recursive resolution results (RecursClients) could be miscalculated in certain resolution scenarios, potentially causing the value of the counter to drop below zero. This has been fixed. [GL #3147]
An error in the processing of the blackhole ACL could cause some DNS requests sent by named to fail - for example, zone transfer requests and SOA refresh queries - if the destination address or prefix was specifically excluded from the ACL using !, or if the ACL was set to none. This has now been fixed. blackhole worked correctly when it was left unset, or if only positive-match elements were included. [GL #3157]
Build errors were introduced in some DLZ modules due to an incomplete change in the previous release. This has been fixed. [GL #3111]

Notes for BIND 9.18.0 

Note

This section only lists changes since BIND 9.16.25, the most recent release on the previous stable branch of BIND before the publication of BIND 9.18.0.

Known Issues 

rndc has been updated to use the new BIND network manager API. As the network manager currently has no support for UNIX-domain sockets, those cannot now be used with rndc. This will be addressed in a future release, either by restoring UNIX-domain socket support or by formally declaring them to be obsolete in the control channel. [GL #1759]

New Features 

named now supports securing DNS traffic using Transport Layer Security (TLS). TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH).

named can use either a certificate provided by the user or an ephemeral certificate generated automatically upon startup. The tls statement allows fine-grained control over TLS parameters. [GL #1840] [GL #2795] [GL #2796]

For debugging purposes, named logs TLS pre-master secrets when the SSLKEYLOGFILE environment variable is set. This enables troubleshooting of issues with encrypted traffic. [GL #2723]
Support for DNS over TLS (DoT) has been added to named. Network interfaces for DoT are configured using the existing listen-on directive, while TLS parameters are configured using the new tls statement. [GL #1840]

named supports zone transfers over TLS (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.

Incoming zone transfers over TLS are enabled by adding the tls keyword, followed by either the name of a previously configured tls statement or the string ephemeral, to the addresses included in primaries lists. [GL #2392]

Similarly, the allow-transfer option was extended to accept additional port and transport parameters, to further restrict outgoing zone transfers to a particular port and/or DNS transport protocol. [GL #2776]

Note that zone transfers over TLS (XoT) require the dot Application-Layer Protocol Negotiation (ALPN) token to be selected in the TLS handshake, as required by RFC 9103 section 7.1. This might cause issues with non-compliant XoT servers. [GL #2794]

The dig tool is now able to send DoT queries (+tls option). [GL #1840]

There is currently no support for forwarding DNS queries via DoT.
Support for DNS over HTTPS (DoH) has been added to named. Both TLS-encrypted and unencrypted connections are supported (the latter may be used to offload encryption to other software). Network interfaces for DoH are configured using the existing listen-on directive, while TLS parameters are configured using the new tls statement and HTTP parameters are configured using the new http statement. [GL #1144] [GL #2472]

Server-side quotas on both the number of concurrent DoH connections and the number of active HTTP/2 streams per connection can be configured using the global http-listener-clients and http-streams-per-connection options, or the listener-clients and streams-per-connection parameters in an http statement. [GL #2809]

The dig tool is now able to send DoH queries (+https option). [GL #1641]

There is currently no support for forwarding DNS queries via DoH.

DoH support can be disabled at compile time using a new build-time option, --disable-doh. This allows BIND 9 to be built without the libnghttp2 library. [GL #2478]
A new logging category, rpz-passthru, was added, which allows RPZ passthru actions to be logged into a separate channel. [GL #54]
A new option, nsdname-wait-recurse, has been added to the response-policy clause in the configuration file. When set to no, RPZ NSDNAME rules are only applied if the authoritative nameservers for the query name have been looked up and are present in the cache. If this information is not present, the RPZ NSDNAME rules are ignored, but the information is looked up in the background and applied to subsequent queries. The default is yes, meaning that RPZ NSDNAME rules should always be applied, even if the information needs to be looked up first. [GL #1138]
Support for HTTPS and SVCB record types now also includes ADDITIONAL section processing for these record types. [GL #1132]
New configuration options, tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer, and udp-send-buffer, have been added. These options allow the operator to fine-tune the receiving and sending buffers in the operating system. On busy servers, increasing the size of the receive buffers can prevent the server from dropping packets during short traffic spikes, and decreasing it can prevent the server from becoming clogged with queries that are too old and have already timed out. [GL #2313]
New finer-grained update-policy rule types, krb5-subdomain-self-rhs and ms-subdomain-self-rhs, were added. These rule types restrict updates to SRV and PTR records so that their content can only match the machine name embedded in the Kerberos principal making the change. [GL #481]
Per-type record count limits can now be specified in update-policy statements, to limit the number of records of a particular type that can be added to a domain name via dynamic update. [GL #1657]
Support for OpenSSL 3.0 APIs was added. [GL #2843] [GL #3057]
Extended DNS Error Code 18 - Prohibited (see RFC 8914 section 4.19) is now set if query access is denied to the specific client. [GL #1836]
ipv4only.arpa is now served when DNS64 is configured. [GL #385]
dig can now report the DNS64 prefixes in use (+dns64prefix). This is useful when the host on which dig is run is behind an IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a Service). [GL #1154]
dig output now includes the transport protocol used (UDP, TCP, TLS, HTTPS). [GL #1144] [GL #1816]
dig +qid=<num> allows the user to specify a particular query ID for testing purposes. [GL #1851]

Removed Features 

Support for the map zone file format (masterfile-format map;) has been removed. Users relying on the map format are advised to convert their zones to the raw format with named-compilezone and change the configuration appropriately prior to upgrading BIND 9. [GL #2882]
Old-style Dynamically Loadable Zones (DLZ) drivers that had to be enabled in named at build time have been removed. New-style DLZ modules should be used as a replacement. [GL #2814]
Support for compiling and running BIND 9 natively on Windows has been completely removed. The last stable release branch that has working Windows support is BIND 9.16. [GL #2690]
Native PKCS#11 support has been removed. [GL #2691]

When built against OpenSSL 1.x, BIND 9 now uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL engine which is part of the OpenSC project.

As support for so-called “engines” was deprecated in OpenSSL 3.x, compiling BIND 9 against an OpenSSL 3.x build which does not retain support for deprecated APIs makes it impossible to use PKCS#11 in BIND 9. A replacement for engine_pkcs11 which employs the new “provider” approach introduced in OpenSSL 3.x is in the making. [GL #2843]
The utilities dnssec-checkds, dnssec-coverage, and dnssec-keymgr have been removed from the BIND distribution, as well as the isc Python package. DNSSEC features formerly provided by these utilities are now integrated into named. See the dnssec-policy configuration option for more details.

An archival version of the Python utilities has been moved to the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/. Please note these tools are no longer supported by ISC.
Since the old socket manager API has been removed, “socketmgr” statistics are no longer reported by the statistics channel. [GL #2926]
The glue-cache option has been marked as deprecated. The glue cache feature still works and will be permanently enabled in a future release. [GL #2146]
A number of non-working configuration options that had been marked as obsolete in previous releases have now been removed completely. Using any of the following options is now considered a configuration failure: acache-cleaning-interval, acache-enable, additional-from-auth, additional-from-cache, allow-v6-synthesis, cleaning-interval, dnssec-enable, dnssec-lookaside, filter-aaaa, filter-aaaa-on-v4, filter-aaaa-on-v6, geoip-use-ecs, lwres, max-acache-size, nosit-udp-size, queryport-pool-ports, queryport-pool-updateinterval, request-sit, sit-secret, support-ixfr, use-queryport-pool, use-ixfr. [GL #1086]
The dig option +unexpected has been removed. [GL #2140]
IPv6 sockets are now explicitly restricted to sending and receiving IPv6 packets only. As this breaks the +mapped option for dig, the option has been removed. [GL #3093]
Disable and disallow static linking of BIND 9 binaries and libraries as BIND 9 modules require dlopen() support and static linking also prevents using security features like read-only relocations (RELRO) or address space layout randomization (ASLR) which are important for programs that interact with the network and process arbitrary user input. [GL #1933]
The --with-gperftools-profiler configure option was removed. To use the gperftools profiler, the HAVE_GPERFTOOLS_PROFILER macro now needs to be manually set in CFLAGS and -lprofiler needs to be present in LDFLAGS. [GL !4045]

Feature Changes 

Aggressive Use of DNSSEC-Validated Cache (synth-from-dnssec, see RFC 8198) is now enabled by default again, after having been disabled in BIND 9.14.8. The implementation of this feature was reworked to achieve better efficiency and tuned to ignore certain types of broken NSEC records. Negative answer synthesis is currently only supported for zones using NSEC. [GL #1265]
The default NSEC3 parameters for dnssec-policy were updated to no extra SHA-1 iterations and no salt (NSEC3PARAM 1 0 0 -). This change is in line with the latest NSEC3 recommendations. [GL #2956]
The default for dnssec-dnskey-kskonly was changed to yes. This means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by default. The additional signatures prepared using the ZSK when the option is set to no add to the DNS response payload without offering added value. [GL #1316]
dnssec-cds now only generates SHA-2 DS records by default and avoids copying deprecated SHA-1 records from a child zone to its delegation in the parent. If the child zone does not publish SHA-2 CDS records, dnssec-cds will generate them from the CDNSKEY records. The -a algorithm option now affects the process of generating DS digest records from both CDS and CDNSKEY records. Thanks to Tony Finch. [GL #2871]
Previously, named accepted FORMERR responses both with and without an OPT record, as an indication that a given server did not support EDNS. To implement full compliance with RFC 6891, only FORMERR responses without an OPT record are now accepted. This intentionally breaks communication with servers that do not support EDNS and that incorrectly echo back the query message with the RCODE field set to FORMERR and the QR bit set to 1. [GL #2249]
The question section is now checked when processing AXFR, IXFR, and SOA replies while transferring a zone in. [GL #1683]
DNS Flag Day 2020: the EDNS buffer size probing code, which made the resolver adjust the EDNS buffer size used for outgoing queries based on the successful query responses and timeouts observed, was removed. The resolver now always uses the EDNS buffer size set in edns-udp-size for all outgoing queries. [GL #2183]
Keeping stale answers in cache (stale-cache-enable) has been disabled by default. [GL #1712]
Overall memory use by named has been optimized and significantly reduced, especially for resolver workloads. [GL #2398] [GL #3048]
Memory allocation is now based on the memory allocation API provided by the jemalloc library, on platforms where it is available. Use of this library is now recommended when building BIND 9; although it is optional, it is enabled by default. [GL #2433]
Internal data structures maintained for each cache database are now grown incrementally when they need to be expanded. This helps maintain a steady response rate on a loaded resolver while these internal data structures are resized. [GL #2941]
The interface handling code has been refactored to use fewer resources, which should lead to less memory fragmentation and better startup performance. [GL #2433]
When reporting zone types in the statistics channel, the terms primary and secondary are now used instead of master and slave, respectively. [GL #1944]
The rndc nta -dump and rndc secroots commands now both include validate-except entries when listing negative trust anchors. These are indicated by the keyword permanent in place of the expiry date. [GL #1532]
The output of rndc serve-stale status has been clarified. It now explicitly reports whether retention of stale data in the cache is enabled (stale-cache-enable), and whether returning such data in responses is enabled (stale-answer-enable). [GL #2742]
Previously, using dig +bufsize=0 had the side effect of disabling EDNS, and there was no way to test the remote server’s behavior when it had received a packet with EDNS0 buffer size set to 0. This is no longer the case; dig +bufsize=0 now sends a DNS message with EDNS version 0 and buffer size set to 0. To disable EDNS, use dig +noedns. [GL #2054]
BIND 9 binaries which are neither daemons nor administrative programs were moved to $bindir. Only ddns-confgen, named, rndc, rndc-confgen, and tsig-confgen were left in $sbindir. [GL #1724]
The BIND 9 build system has been changed to use a typical autoconf+automake+libtool stack. This should not make any difference for people building BIND 9 from release tarballs, but when building BIND 9 from the Git repository, autoreconf -fi needs to be run first. Extra attention is also needed when using non-standard configure options. [GL #4]

Bug Fixes 

Log files using timestamp-style suffixes were not always correctly removed when the number of files exceeded the limit set by versions. This has been fixed. [GL #828]

License 

BIND 9 is open source software licensed under the terms of the Mozilla Public License, version 2.0 (see the COPYING file for the full text).

Those wishing to discuss license compliance may contact ISC at https://www.isc.org/contact/.

BIND 9.18 is a stable branch, suitable for production use. After it has been in production use for a while it will be designated as an Extended Support Version (ESV). Until then, the current ESV is BIND 9.16, which will be supported until at least December 2023. See https://kb.isc.org/docs/aa-00896 for details of ISC’s software support policy.

Thank You 

Thank you to everyone who assisted us in making this release possible.