Release Notes for BIND Version 9.11.4-P1

Introduction

   This document summarizes changes since the last production release on
   the BIND 9.11 (Extended Support Version) branch. Please see the CHANGES
   file for a further list of bug fixes and other changes.

Download

   The latest versions of BIND 9 software can always be found at
   http://www.isc.org/downloads/. There you will find additional
   information about each release, source code, and pre-compiled versions
   for Microsoft Windows operating systems.

License Change

   With the release of BIND 9.11.0, ISC changed to the open source license
   for BIND from the ISC license to the Mozilla Public License (MPL 2.0).

   The MPL-2.0 license requires that if you make changes to licensed
   software (e.g. BIND) and distribute them outside your organization,
   that you publish those changes under that same license. It does not
   require that you publish or disclose anything other than the changes
   you made to our software.

   This requirement will not affect anyone who is using BIND, with or
   without modifications, without redistributing it, nor anyone
   redistributing it without changes. Therefore, this change will be
   without consequence for most individuals and organizations who are
   using BIND.

   Those unsure whether or not the license change affects their use of
   BIND, or who wish to discuss how to comply with the license may contact
   ISC at https://www.isc.org/mission/contact/.

Legacy Windows No Longer Supported

   As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
   platforms for BIND; "XP" binaries are no longer available for download
   from ISC.

Security Fixes

     * named could crash during recursive processing of DNAME records when
       deny-answer-aliases was in use. This flaw is disclosed in
       CVE-2018-5740. [GL #387]
     * When recursion is enabled but the allow-recursion and
       allow-query-cache ACLs are not specified, they should be limited to
       local networks, but they were inadvertently set to match the
       default allow-query, thus allowing remote queries. This flaw is
       disclosed in CVE-2018-5738. [GL #309]

New Features

     * named now supports the "root key sentinel" mechanism. This enables
       validating resolvers to indicate which trust anchors are configured
       for the root, so that information about root key rollover status
       can be gathered. To disable this feature, add root-key-sentinel no;
       to named.conf.
     * Added the ability not to return a DNS COOKIE option when one is
       present in the request. To prevent a cookie being returned, add
       answer-cookie no; to named.conf. [GL #173]
       answer-cookie no is only intended as a temporary measure, for use
       when named shares an IP address with other servers that do not yet
       support DNS COOKIE. A mismatch between servers on the same address
       is not expected to cause operational problems, but the option to
       disable COOKIE responses so that all servers have the same behavior
       is provided out of an abundance of caution. DNS COOKIE is an
       important security mechanism, and should not be disabled unless
       absolutely necessary.

Removed Features

     * named will now log a warning if the old BIND now can be compiled
       against libidn2 library to add IDNA2008 support. Previously BIND
       only supported IDNA2003 using (now obsolete) idnkit-1 library.

Feature Changes

     * dig +noidnin can be used to disable IDN processing on the input
       domain name, when BIND is compiled with IDN support.
     * Multiple cookie-secret clause are now supported. The first
       cookie-secret in named.conf is used to generate new server cookies.
       Any others are used to accept old server cookies or those generated
       by other servers using the matching cookie-secret.

Bug Fixes

     * named now rejects excessively large incremental (IXFR) zone
       transfers in order to prevent possible corruption of journal files
       which could cause named to abort when loading zones. [GL #339]
     * rndc reload could cause named to leak memory if it was invoked
       before the zone loading actions from a previous rndc reload command
       were completed. [RT #47076]

End of Life

   BIND 9.11 (Extended Support Version) will be supported until at least
   December, 2021. See
   https://www.isc.org/downloads/software-support-policy/ for details of
   ISC's software support policy.

Thank You

   Thank you to everyone who assisted us in making this release possible.
   If you would like to contribute to ISC to assist us in continuing to
   make quality open source software, please visit our donations page at
   http://www.isc.org/donate/.