Release Notes for BIND Version 9.14.2

Introduction

BIND 9.14 is a stable branch of BIND. This document summarizes significant
changes since the last production release on that branch.

Please see the file CHANGES for a more detailed list of changes and bug
fixes.

Note on Version Numbering

As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
release numbering convention. BIND 9.14 contains new features added during
the BIND 9.13 development process. Henceforth, the 9.14 branch will be
limited to bug fixes and new feature development will proceed in the
unstable 9.15 branch, and so forth.

Supported Platforms

Since 9.12, BIND has undergone substantial code refactoring and cleanup,
and some very old code has been removed that was needed to support legacy
platforms which are no longer supported by their vendors and for which ISC
is no longer able to perform quality assurance testing. Specifically,
workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS,
TruCluster and IRIX have been removed.

On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE
Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
standard atomic operations provided by the C compiler.

More information can be found in the PLATFORM.md file that is included in
the source distribution of BIND 9. If your platform compiler and system
libraries provide the above features, BIND 9 should compile and run. If
that isn't the case, the BIND development team will generally accept
patches that add support for systems that are still supported by their
respective vendors.

As of BIND 9.14, the BIND development team has also made cryptography
(i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
cryptography library must be available for the target platform. A PKCS#11
provider can be used instead for Public Key cryptography (i.e., DNSSEC
signing and validation), but OpenSSL is still required for general
cryptography operations such as hashing and random number generation.

Download

The latest versions of BIND 9 software can always be found at http://
www.isc.org/downloads/. There you will find additional information about
each release, source code, and pre-compiled versions for Microsoft Windows
operating systems.

Security Fixes

  * In certain configurations, named could crash with an assertion failure
    if nxdomain-redirect was in use and a redirected query resulted in an
    NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
    #880]

  * The TCP client quota set using the tcp-clients option could be
    exceeded in some cases. This could lead to exhaustion of file
    descriptors. (CVE-2018-5743) [GL #615]

New Features

  * The new add-soa option specifies whether or not the response-policy
    zone's SOA record should be included in the additional section of RPZ
    responses. [GL #865]

Feature Changes

  * When trusted-keys and managed-keys are both configured for the same
    name, or when trusted-keys is used to configure a trust anchor for the
    root zone and dnssec-validation is set to the default value of auto,
    automatic RFC 5011 key rollovers will fail.

    This combination of settings was never intended to work, but there was
    no check for it in the parser. This has been corrected; a warning is
    now logged. (In BIND 9.15 and higher this error will be fatal.) [GL #
    868]

Bug Fixes

  * The allow-update and allow-update-forwarding options were
    inadvertently treated as configuration errors when used at the options
    or view level. This has now been corrected. [GL #913]

License

BIND is open source software licenced under the terms of the Mozilla
Public License, version 2.0 (see the LICENSE file for the full text).

The license requires that if you make changes to BIND and distribute them
outside your organization, those changes must be published under the same
license. It does not require that you publish or disclose anything other
than the changes you have made to our software. This requirement does not
affect anyone who is using BIND, with or without modifications, without
redistributing it, nor anyone redistributing BIND without changes.

Those wishing to discuss license compliance may contact ISC at https://
www.isc.org/mission/contact/.

End of Life

The end of life date for BIND 9.14 has not yet been determined. For those
needing long term support, the current Extended Support Version (ESV) is
BIND 9.11, which will be supported until at least December 2021. See
https://www.isc.org/downloads/software-support-policy/ for details of
ISC's software support policy.

Thank You

Thank you to everyone who assisted us in making this release possible. If
you would like to contribute to ISC to assist us in continuing to make
quality open source software, please visit our donations page at http://
www.isc.org/donate/.
