BIND 9.7.0b1 disponible

Publicado: 21 de octubre de 2009 | Categorias: Blog
Revisado: 21 de octubre de 2009 | etiquetas: Bind

Ya está disponible la primera Beta de Bind 9.7.0:

- Fully automatic signing of zones by “named”
– Simplified configuration of DNSSEC Lookaside Validation (DLV).
– Simplified configuration of Dynamic DNS, using the “ddns-confgen”
command line tool or the “local” update-policy option. (As a side effect, this also makes it easier to configure automatic zone re-signing.)
– New named option “attach-cache” that allows multiple views to share a single cache.
– DNS rebinding attack prevention.
– New default values for dnssec-keygen parameters.
– Support for RFC 5011 automated trust anchor maintenance (see README.rfc5011 for additional details).
– Smart signing: simplified tools for zone signing and key maintenance.
– The “statistics-channels” option is now available on Windows.
– A new DNSSEC-aware libdns API for use by non-BIND9 applications (see README.libdns for details).
– On some platforms, named and other binaries can now print out a stack backtrace an assertion failure, to aid in debugging.
– A “tools only” installation mode on Windows, which only installs dig, host, nslookup and nsupdate.
– Improved PKCS#11 support, including Keyper support and explicit OpenSSL engine selection (see README.pkcs11 for additional details).

Warning: If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined then you should ensure that all changes that are in progress have completed prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.

BIND 9.7.0b1 can be downloaded from:

ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz

The PGP signature of the distribution is at:

ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/bind-9.7.0b1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is available at https://www.isc.org/about/openpgp

A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:

ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip

The PGP signature of the binary kit is at:

ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.0b1/BIND9.7.0b1.debug.zip.sha512.asc

Changes since 9.6.0:

— 9.7.0b1 released —

2715. [bug] Require OpenSSL support to be explicitly disabled. [RT #20288]

2714. [port] aix/powerpc: ‘asm(“ics”);’ needs non standard assembler flags.

2713. [bug] powerpc: atomic operations missing asm(“ics”) / __isync() calls.

2712. [func] New ‘auto-dnssec’ zone option allows zone signing to be fully automated in zones configured for dynamic DNS. ‘auto-dnssec allow;’ permits a zone to be signed by creating keys for it in the key-directory and using ‘rndc sign <zone>’. ‘auto-dnssec maintain;’ allows that too, plus it also keeps the zone’s DNSSEC keys up to date according to their timing metadata. [RT #19943]

2711. [port] win32: Add the bin/pkcs11 tools into the full build. [RT #20372]

2710. [func] New ‘dnssec-signzone -x’ flag and ‘dnskey-ksk-only’ zone option cause a zone to be signed with only KSKs signing the DNSKEY RRset, not ZSKs. This reduces the size of a DNSKEY answer. [RT #20340]

2709. [func] Added some data fields, currently unused, to the private key file format, to allow implementation
of explicit key rollover in a future release without impairing backward or forward compatibility. [RT #20310]

2708. [func] Insecure to secure and NSEC3 parameter changes via update are now fully supported and no longer require defines to enable. We now no longer overload the NSEC3PARAM flag field, nor the NSEC OPT bit at the apex. Secure to insecure changes are controlled by by the named.conf option ‘secure-to-insecure’.

Warning: If you had previously enabled support by adding defines at compile time to BIND 9.6 you should ensure that all changes that are in progress have completed prior to upgrading to BIND 9.7. BIND 9.7 is not backwards compatible.

2707. [func] dnssec-keyfromlabel no longer require engine name to be specified in the label if there is a default engine or the -E option has been used. Also, it now uses default algorithms as dnssec-keygen does (i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used). [RT #20371]

2706. [bug] Loading a zone with a very large NSEC3 salt could trigger an assert. [RT #20368]

2705. [placeholder]

2704. [bug] Serial of dynamic and stub zones could be inconsistent with their SOA serial. [RT #19387]

2703. [func] Introduce an OpenSSL “engine” argument with -E for all binaries which can take benefit of crypto hardware. [RT #20230]

2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]

2701. [doc] Correction to ARM: hmac-md5 is no longer the only supported TSIG key algorithm. [RT #18046]

2700. [doc] The match-mapped-addresses option is discouraged. [RT #12252]

2699. [bug] Missing lock in rbtdb.c. [RT #20037]

2698. [placeholder]

2697. [port] win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and S_IFREG are defined after including <isc/stat.h>.
[RT #20309]
2696. [bug] named failed to successfully process some valid acl constructs. [RT #20308]

2695. [func] DHCP/DDNS – update fdwatch code for use by DHCP. Modify the api to isc_sockfdwatch_t (the callback funciton for isc_socket_fdwatchcreate) to include information about the direction (read or write) and add isc_socket_fdwatchpoke. [RT #20253]

2694. [bug] Reduce default NSEC3 iterations from 100 to 10. [RT #19970]

2693. [port] Add some noreturn attributes. [RT #20257]

2692. [port] win32: 32/64 bit cleanups. [RT #20335]

2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3 chain when re-signing a previously-signed zone. Use -u to modify NSEC3 parameters or switch between NSEC and NSEC3. [RT #20304]

2690. [bug] win32: fix isc_thread_key_getspecific() prototype. [RT #20315]

2689. [bug] Correctly handle snprintf result. [RT #20306]

2688. [bug] Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT, to decide to fetch the destination address. [RT #20305]

2687. [bug] Fixed dnssec-signzone -S handling of revoked keys. Also, added warnings when revoking a ZSK, as this is not defined by protocol (but is legal). [RT #19943]

2686. [bug] dnssec-signzone should clean the old NSEC chain when signing with NSEC3 and vice versa. [RT #20301]

2685. [contrib] Update contrib/zkt to version 0.99c. [RT #20054]

2684. [cleanup] dig: formalize +ad and +cd as synonyms for +adflag and +cdflag. [RT #19305]

2683. [bug] dnssec-signzone should clean out old NSEC3 chains when the NSEC3 parameters used to sign the zone change. [RT #20246]

2682. [bug] ”configure –enable-symtable=all” failed to build. [RT #20282]

2681. [bug] IPSECKEY RR of gateway type 3 was not correctly decoded. [RT #20269]

2680. [func] Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]

2679. [func] dig -k can now accept TSIG keys in named.conf format. [RT #20031]

2678. [func] Treat DS queries as if “minimal-response yes;” was set. [RT #20258]

2677. [func] Changes to key metadata behavior:

– Keys without “publish” or “active” dates set will no longer be used for smart signing. However, those dates will be set to “now” by default when a key is created; to generate a key but not use it yet, use dnssec-keygen -G.
– New “inactive” date (dnssec-keygen/settime -I) sets the time when a key is no longer used for signing but is still published.
– The “unpublished” date (-U) is deprecated in favor of “deleted” (-D). [RT #20247]

2676. [bug] –with-export-installdir should have been –with-export-includedir. [RT #20252]

2675. [bug] dnssec-signzone could crash if the key directory did not exist. [RT #20232]