Development release of BIND 10: bind10-devel-20120301 The 17th development release of the BIND 10 suite is now available. Its notable additions include: - Ability to start multiple authoritative server or resolver instances (resulting in significant query performance improvements on multi-core machines). - b10-auth now supports signed zones (with NSEC and NSEC3) in the in-memory data source. - Statistics counters added for b10-auth: per-opcode requests and RCODE responses. - b10-xfrout now uses the global TSIG keyring for ACLs. BIND 10 provides a DNS library in C++ with Python wrappers, an authoritative DNSSEC-capable DNS server (with SQLite3 and in-memory backends), and a recursive DNS server (with caching and forwarding). It also includes other cooperating components for zone transfer management, configuration management, remote control, statistics collection, and more. BIND 10 also includes libdhcp++ and proof-of-concept DHCP server code. We are using the prototype BIND 10 authoritative and recursive DNS servers in production. This snapshot tarball and PGP signature can be downloaded at: ftp://ftp.isc.org/isc/bind10/devel-20120301/bind10-devel-20120301.tar.gz ftp://ftp.isc.org/isc/bind10/devel-20120301/bind10-devel-20120301.tar.gz.sha512.asc Users and developers are encouraged to participate on the BIND 10 mailing lists. https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev We look forwarding to hearing about your experiences with BIND 10. Jeremy C. Reed BIND 10 Release Engineer ISC p.s. A summary of the significant changes since the previous release include (from the ChangeLog): 390. [bug] vorner The UDP IPv6 packets are now correctly fragmented for maximum guaranteed MTU, so they won't get lost because being too large for some hop. (Trac #1534, git ff013364643f9bfa736b2d23fec39ac35872d6ad) 389. [func]* vorner Xfrout now uses the global TSIG keyring, instead of its own. This means the keys need to be set only once (in tsig_keys/keys). However, the old configuration of Xfrout/tsig_keys need to be removed for Xfrout to work. (Trac #1643, git 5a7953933a49a0ddd4ee1feaddc908cd2285522d) 388. [func] jreed Use prefix "sockcreator-" for the private temporary directory used for b10-sockcreator communication. (git b98523c1260637cb33436964dc18e9763622a242) 387. [build] muks Accept a --without-werror configure switch so that some builders can disable the use of -Werror in CFLAGS when building. (Trac #1671, git 8684a411d7718a71ad9fb616f56b26436c4f03e5) 386. [bug] jelte Upon initial sqlite3 database creation, the 'diffs' table is now always created. This already happened most of the time, but there are a few cases where it was skipped, resulting in potential errors in xfrout later. (Trac #1717, git 30d7686cb6e2fa64866c983e0cfb7b8fabedc7a2) 385. [bug] jinmei libdns++: masterLoad() didn't accept comments placed at the end of an RR. Due to this the in-memory data source cannot load a master file for a signed zone even if it's preprocessed with BIND 9's named-compilezone. Note: this fix is considered temporary and still only accepts some limited form of such comments. The main purpose is to allow the in-memory data source to load any signed or unsigned zone files as long as they are at least normalized with named-compilezone. (Trac #1667, git 6f771b28eea25c693fe93a0e2379af924464a562) 384. [func] jinmei, jelte, vorner, haikuo, kevin b10-auth now supports NSEC3-signed zones in the in-memory data source. (Trac #1580, #1581, #1582, #1583, #1584, #1585, #1587, and other related changes to the in-memory data source) 383. [build] jinmei Fixed build failure on MacOS 10.7 (Lion) due to the use of IPV6_PKTINFO; the OS requires a special definition to make it visible to the compiler. (Trac #1633, git 19ba70c7cc3da462c70e8c4f74b321b8daad0100) 382. [func] jelte b10-auth now also experimentally supports statistics counters of the rcode responses it sends. The counters can be shown as rcode., where code name is the lowercase textual representation of the rcode (e.g. "noerror", "formerr", etc.). Same note applies as for opcodes, see changelog entry 364. (Trac #1613, git e98da500d7b02e11347431a74f2efce5a7d622aa) 381. [bug] jinmei b10-auth: honor the DNSSEC DO bit in the new query handler. (Trac #1695, git 61f4da5053c6a79fbc162fb16f195cdf8f94df64) 380. [bug] jinmei libdns++: miscellaneous bug fixes for the NSECPARAM RDATA implementation, including incorrect handling for empty salt and incorrect comparison logic. (Trac #1638, git 966c129cc3c538841421f1e554167d33ef9bdf25) 379. [bug] jelte Configuration commands in bindctl now check for list indices if the 'identifier' argument points to a child element of a list item. Previously, it was possible to 'get' non-existent values by leaving out the index, e.g. "config show Auth/listen_on/port, which should be config show Auth/listen_on[]/port, since Auth/listen_on is a list. The command without an index will now show an error. It is still possible to show/set the entire list ("config show Auth/listen_on"). (Trac #1649, git 003ca8597c8d0eb558b1819dbee203fda346ba77) 378. [func] vorner It is possible to start authoritative server or resolver in multiple instances, to use more than one core. Configuration is described in the guide. (Trac #1596, git 17f7af0d8a42a0a67a2aade5bc269533efeb840a) 377. [bug] jinmei libdns++: miscellaneous bug fixes for the NSEC and NSEC3 RDATA implementation, including a crash in NSEC3::toText() for some RR types, incorrect handling of empty NSEC3 salt, and incorrect comparison logic in NSEC3::compare(). (Trac #1641, git 28ba8bd71ae4d100cb250fd8d99d80a17a6323a2) 376. [bug] jinmei, vorner The new query handling module of b10-auth did not handle type DS query correctly: It didn't look for it in the parent zone, and it incorrectly returned a DS from the child zone if it happened to exist there. Both were corrected, and it now also handles the case of having authority for the child and a grand ancestor. (Trac #1570, git 2858b2098a10a8cc2d34bf87463ace0629d3670e) 375. [func] jelte Modules now inform the system when they are stopping. As a result, they are removed from the 'active modules' list in bindctl, which can then inform the user directly when it tries to send them a command or configuration update. Previously this would result in a 'not responding' error instead of 'not running'. (Trac #640, git 17e78fa1bb1227340aa9815e91ed5c50d174425d) 374. [func]* stephen Alter RRsetPtr and ConstRRsetPtr to point to AbstractRRset (instead of RRset) to allow for specialised implementations of RRsets in data sources. (Trac #1604, git 3071211d2c537150a691120b0a5ce2b18d010239) 373. [bug] jinmei libdatasrc: the in-memory data source incorrectly rejected loading a zone containing a CNAME RR with RRSIG and/or NSEC. (Trac #1551, git 76f823d42af55ce3f30a0d741fc9297c211d8b38) 372. [func] vorner When the allocation of a socket fails for a different reason than the socket not being provided by the OS, the b10-auth and b10-resolver abort, as the system might be in inconsistent state after such error. (Trac #1543, git 49ac4659f15c443e483922bf9c4f2de982bae25d) 371. [bug] jelte The new query handling module of b10-auth (currently only used with the in-memory data source) now correctly includes the DS record (or the denial of its existence if NSEC is used) when returning a delegation from a signed zone. (Trac #1573, git bd7a3ac98177573263950303d4b2ea7400781d0f) 370. [func] jinmei libdns++: a new class NSEC3Hash was introduced as a utility for calculating NSEC3 hashes for various purposes. Python binding was provided, too. Also fixed a small bug in the NSEC3PARAM RDATA implementation that empty salt in text representation was rejected. (Trac #1575, git 2c421b58e810028b303d328e4e2f5b74ea124839) 369. [func] vorner The SocketRequestor provides more information about what error happened when it throws, by using subclasses of the original exception. This way a user not interested in the difference can still use the original exception, while it can be recognized if necessary. (Trac #1542, git 2080e0316a339fa3cadea00e10b1ec4bc322ada0) 368. [func]* jinmei libdatasrc: the interface of ZoneFinder() was changed: WILDCARD related result codes were deprecated and removed, and the corresponding information is now provided via a separate accessor method on FindResult. Other separate FindResult methods will also tell the caller whether the zone is signed with NSEC or NSEC3 (when necessary and applicable). (Trac #1611, git c175c9c06034b4118e0dfdbccd532c2ebd4ba7e8) 367. [bug] jinmei libdatasrc: in-memory data source could incorrectly reject to load zones containing RRSIG records. For example, it didn't allow RRSIG that covers a CNAME RR. This fix also makes sure find() will return RRsets with RRSIGs if they are signed. (Trac #1614, git e8241ea5a4adea1b42a60ee7f2c5cfb87301734c) 366. [bug] vorner Fixed problem where a directory named "io" conflicted with the python3 standard module "io" and caused the installation to fail. The offending directory has been renamed to "cio". (Trac #1561, git d81cf24b9e37773ba9a0d5061c779834ff7d62b9) 365. [bug] jinmei libdatasrc: in-memory datasource incorrectly returned delegation for DS lookups. (Trac #1571, git d22e90b5ef94880183cd652e112399b3efb9bd67) 364. [func] jinmei b10-auth experimentally supports statistics counters of incoming requests per opcode. The counters can be (e.g.) shown as opcode. in the output of the bindctl "Stats show" command, where is lower-cased textual representation of opcodes ("query", "notify", etc). Note: This is an experimental attempt of supporting more statistics counters for b10-auth, and the interface and output may change in future versions. (Trac #1399, git 07206ec76e2834de35f2e1304a274865f8f8c1a5)