There High DNS Reponse(1000 MS DNS Resolution) for facebook.com.... On Thu, Apr 5, 2012 at 1:38 AM, Brian Conry <bco...@isc.org> wrote:
> Introduction > > BIND 9.8.2 is the latest production release of BIND 9.8. > > This document summarizes changes from BIND 9.8.1 to BIND 9.8.2. > Please see the CHANGES file in the source code release for a complete > list of all changes. > > Download > > The latest versions of BIND 9 software can always be found on our > web site at http://www.isc.org/downloads/all. There you will find > additional information about each release, source code, and > pre-compiled versions for Microsoft Windows operating systems. > > Support > > Product support information is available on > http://www.isc.org/services/support for paid support options. Free > support is provided by our user community via a mailing list. > Information on all public email lists is available at > https://lists.isc.org/mailman/listinfo. > > Security Fixes > > + BIND 9 nameservers performing recursive queries could cache an > invalid record and subsequent queries for that record could > crash the resolvers with an assertion failure. [RT #26590] > [CVE-2011-4313] > > Feature Changes > > + RPZ implementation now conforms to version 3 of the specification. > [RT #27316] > > + It is now possible to explicitly disable DLV in named.conf by > specifying "dnssec-lookaside no;". This is the default, but the > ability to configure it makes it clearly visible to administrators. > [RT #24858] > > + --enable-developer, a new composite argument to the configure > script, enables a set of build options normally disabled but > frequently selected in test or development builds, specifically: > enable_fixed_rrset, with_atf, enable_filter_aaaa, enable_rpz_nsip, > enable_rpz_nsdname, and with_dlz_filesystem (and on Linux and > Darwin, also enable_exportlib) [RT #27103] > > Bug Fixes > + Named could dereference a NULL pointer in zmgr_start_xfrin_ifquota > if the zone was being removed. [RT #28419] > > + A parser bug could cause named to crash while reading a malformed > zone file. [RT #28467] > > + Fixed a problem preventing proper use of 64 bit time values in > libbind. [RT # 26542] > > + isccc/cc.c:table_fromwire could fail to free an allocated object on > error, leading to a possible memory leak condition. [RT #28265] > > + Fixed a build error on systems without ENOTSUP. [RT #28200] > > + The header file isc/hmacsha.h is now installed when building BIND. > [RT #28169] > > + Resolves spurious test failures in ans.pl by updating it to work > correctly with Net::DNS 0.68 [RT #28028] > > + The managed key maintenance timer could fail to restart after 'rndc > reconfig' resulting in managed keys not being properly added to > managed-keys.bind [RT #27686] > > + Corrects a potential overflow problem in the computation of > RRSIG expiration times. [RT #23311] > > + The maximum number of NSEC3 iterations for a DNSKEY RRset was > not being properly computed. [RT #26543] > > + Error reporting has been improved for failures encountered > when sending or receiving network packets. In particular > some memory allocation failures were being logged as "unexpected > error" - these will now be reported accurately. A new > ISC_R_UNSET result code has also been added to cover those > situations where there is no error code returned by the OS > sockets implementation. [RT #27336] > > + Corrects an INSIST failure by addressing race conditions in > the handling of rbtnode.deadlink. [RT #27738] > > + SOA refresh queries could be treated as cancelled despite > succeeding over the loopback interface. [RT #27782] > > + When replacing an NS RRset, BIND now restricts the TTL of the > new NS RRset to no more than that of the NS RRset it replaces > to fix a timing problem that can arise when removing a delegation. > [RT #27792/27884] > > + Raw zones with with more than 512 records in a RRset previously > failed to load. [RT #27863] > > + Make sure automatic key maintenance is started when "rndc reconfig" > is issued if "auto-dnssec maintain" is turned on. [RT #26805] > > + Windows builds are now restricted to a single listener thread > until incompatibility with the multiple listeners code can be > addressed [RT #27696] > > + AAAA responses could be returned in the additional section even > when filter-aaaa-on-v4 was in use. [RT #27292] > > + An error handling an out of memory condition could cause a stored > rdataset to be freed twice using DNS64. [RT #27762] > > + Some query patterns could cause responses not to be returned > in cyclic order though "rrset-order cyclic" was set. [RT > #27170/27185] > > + named-compilezone now longer emits "dump zone to <file>" message > when writing to stdout. [RT #27109] > > + Sets isc_socket_ipv6only() on the IPv6 control channels. This > addresses IPv6 socket binding problems that can occur in some > configurations when bindv6only=1 is set globally. [RT #22249] > > + named now reports a syntax error when a TXT record longer than > 255 characters is configured. [RT #26956] > > + Addresses race conditions in the resolver code that can cause > named to abort. [RT #26889] > > + Fixed a bug that could cause named to crash while loading a > zone with invalid DNSKEY records. [RT #26913] > > + Prevents dig -6 +trace from terminating with an error when > encountering a root nameserver without an AAAA record. RT #26906] > > + Prevents DNSKEY state change events from being missed by ensuring > that the timestamps used to determine which keys are in use are > set appropriately. [RT #26874] > > + When processing a list of keys, named now consistently compares > them with the same timestamp. [RT #26883] > > + Fixed a corner case race condition in the validator that may > cause an assert in a multi-threaded build of BIND. [RT #26478] > > + Poor error handling could cause named to hang during shutdown. > [RT #26372] > > + named now correctly validates DNSSEC positive wildcard responses > from NSEC3 signed zones. [RT #26200] > > + Fixes a problem with the computation of tags for revoked keys. > [RT #26186] > > + Corrects a problem with change #3186. dns_db_rpz_findips() > could fail to set the database version correctly, causing an > assertion failure. [RT #26180] > > + Master servers that had previously been marked as unreachable > because of failed zone transfer attempts will now be removed > from the "unreachable" list (i.e. considered reachable again) > if the slave receives a NOTIFY message from them. [RT #25960] > > + Fixes a bug in zone.c where failure to delete signatures could > lead to an assertion failure and subsequent abort. [RT #25880] > > + Corrects a problem validating root DS responses. [RT #25726] > > + Fixes a problem whereby "rndc dumpdb" could cause an assertion > failure and abort by attempting to print an empty rdataset [RT > #25452] > > + The order in which we process the reactivation of a dead node > in cache and the incrementing of its reference count created a > small timing window during which an inconsistency could be > detected and an assert occur in a multi-threaded environment. > This should no longer occur. [RT #23219] > > + 'dig -y' would crash when passed an unknown TSIG algorithm. dig > now handles unknown TSIG algorithms more gracefully. [RT #25522] > > + Servers that received negative responses from a forwarder were > failing to cache the answers correctly, resulting in multiple > queries for the same non-existent name being sent to the > forwarders instead of answers being provided to clients from > cache (until TTL expiry). [RT #25380] > > + Corrected a bug which could cause a slave server with > "allow-update-forwarding" set to become unresponsive if the > master it is trying to reach is off-line or unreachable. [RT > #24711] > > + Socket errors during during recursion were sometimes not handled > correctly which could lead to a named assert when an associated > query structure was used after it had already been freed [RT > #22208] > > + The logging level for DNSSEC validation failures due to expired > or not-yet-valid RRSIGs has been increased to log level "info" > to make it easier to diagnose these problems. Examples of the > new log messages are given below: > > 03-Nov-2011 22:40:55.335 validating @0x7fccc401e5a0: > > pastdate-A.test.dnssec-tools.org<http://pastdate-a.test.dnssec-tools.org/>A: > verify failed due to bad > signature (keyid=19442): RRSIG has expired > > 03-Nov-2011 22:41:31.335 validating @0x12b5d80: > > futuredate-A.test.dnssec-tools.org<http://futuredate-a.test.dnssec-tools.org/>A: > verify failed due to > bad signature (keyid=19442): RRSIG validity period has not > begun > > [RT #21796] > > + This change can reduce the time when a server is unavailable > during "rndc reconfig" for servers with large and complex > configurations. This is achieved by completing the parsing of > the configuration files in entirety before entering the exclusive > phase. (Note that it does not reduce the total time spent in > "rndc reconfig", and it has no measurable impact on server > initial start-up times.) [RT #21373] > > + Direct queries for type RRSIG or SIG (sometimes used while > testing) could be handled incorrectly in the case where there > is no answer available. [RT #21050] > > Thank You > > Thank you to everyone who assisted us in making this release > possible. If you would like to contribute to ISC to assist us > in continuing to make quality open source software, please visit > our donations page at http://www.isc.org/supportisc. > > (c) 2001-2012 Internet Systems Consortium > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
