BIND 9.5.2-P4 is now available. BIND 9.5.2-P4 is a recommended patch for BIND 9.5. It addresses a bug introduced in BIND 9.5.2-P3 and is recommend for anyone running BIND 9.5.2-P3. Bugs should be reported to bind9-bugs@isc.org. BIND 9.5.2-P4 can be downloaded from: ftp://ftp.isc.org/isc/bind9/9.5.2-P4/bind-9.5.2-P4.tar.gz PGP signatures of the distribution are at: ftp://ftp.isc.org/isc/bind9/9.5.2-P4/bind-9.5.2-P4.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/bind-9.5.2-P4.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/bind-9.5.2-P4.tar.gz.sha512.asc The signatures were generated with the ISC public key, which is available at https://www.isc.org/about/openpgp A binary kit for Windows XP, Windows 2003 and Windows 2008 is at: ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.zip ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.debug.zip PGP signatures of the binary kit are at: ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.2-P4/BIND9.5.2-P4.debug.zip.sha512.asc Changes since 9.5.2: --- 9.5.2-P4 released --- 2876. [bug] Named could return SERVFAIL for negative responses from unsigned zones. [RT #21131] --- 9.5.2-P3 released --- 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] --- 9.5.2-P2 released --- 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] --- 9.5.2-P1 released --- 2772. [security] When validating, track whether pending data was from the additional section or not and only return it if validates as secure. [RT #20438] --- 9.5.2 released ---