BIND 9.3.0rc1 is now available. BIND 9.3.0rc1 is a release candidate for BIND 9.3. BIND 9.3.0 has a number of new features over 9.2, including: DNSSEC is now DS based. See doc/draft/draft-ietf-dnsext-dnssec-* DNSSEC lookaside validation (experimental). check-names is now implemented. rrset-order in more complete. IPv4/IPv6 transition support, dual-stack-servers. IXFR deltas can now be generated when loading master files, ixfr-from-differences. It is now possible to specify the size of a journal, max-journal-size. It is now possible to define a named set of master servers to be used in masters clause, masters. The advertised EDNS UDP size can now be set, edns-udp-size. allow-v6-synthesis has been obsoleted. NOTE: * Zones containing MD and MF will now be rejected. * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than NOTIMPL. This will have impact on scripts that are looking for NOTIMPL. libbind: corresponds to that from BIND 8.4.5. NOTE: If you specified max-journal-size with a BIND 9.3.0 beta (upto beta 3) you may need to remove the journal. The journal compaction could leave the journal corrupted. NOTE: If you created TSIG keys using a BIND 9.3.0 beta dnsssec-keygen you will need to change the key type to KEY from DNSKEY in the .key file. NOTE: If you created keys for SIG(0) using a BIND 9.3.0 beta dnsssec-keygen you may need to replace them if you didn't use 'dnssec-keygen -k' to create KEY records rather than DNSKEY records. BIND 9.3.0rc1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.3.0rc1/bind-9.3.0rc1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.3.0rc1/bind-9.3.0rc1.tar.gz.asc The signature was generated with the ISC public key, which is available at . A binary kit for Windows NT 4.0 and Windows 2000 is at ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.3.0rc1/BIND9.3.0rc1.zip The PGP signature of the binary kit for Windows NT 4.0 and Windows 2000 is at ftp://ftp.isc.org/isc/bind/contrib/ntbind-9.3.0rc1/BIND9.3.0rc1.zip.asc The top of CHANGES contains: --- 9.3.0rc1 released --- 1664. [bug] nsupdate needed KEY for SIG(0), not DNSKEY. 1662. [bug] Change #1658 failed to change one use of 'type' to 'keytype'. 1659. [cleanup] Cleanup some messages that were referring to KEY vs DNSKEY, NXT vs NSEC and SIG vs RRSIG. 1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5 and DH. Tighten which options apply to KEY and DNSKEY records. 1657. [doc] ARM: document query log output. 1656. [doc] Update DNSSEC description in ARM to cover DS, NSEC DNSKEY and RRSIG. [RT #11542] 1655. [bug] Logging multiple versions w/o a size was broken. [RT #11446] 1654. [bug] isc_result_totext() contained array bounds read error. 1653. [func] Add key type checking to dst_key_fromfilename(), DST_TYPE_KEY should be used to read TSIG, TKEY and SIG(0) keys. 1652. [bug] TKEY still uses KEY. 1651. [bug] dig: process multiple dash options. 1650. [bug] dig, nslookup: flush standard out after each command. 1649. [bug] Silence "unexpected non-minimal diff" message. [RT #11206] 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet implemented). 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. [RT #11445] 1646. [bug] win32: logging file versions didn't work with non-UNC filenames. [RT#11486] 1645. [bug] named could trigger a REQUIRE failure if multiple masters with keys are specified. 1644. [bug] Update the journal modification time after a sucessfull refresh query. [RT #11436] 1643. [bug] dns_db_closeversion() could leak memory / node references. [RT #11163] 1642. [port] Support OpenSSL implementations which don't have DSA support. [RT #11360] 1641. [bug] Update the check-names description in ARM. [RT #11389] --- 9.3.0beta4 released --- 1640. [bug] win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was incorrectly closing the socket. [RT #11291] 1639. [func] Initial dlv system test. 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if a error had occured. The database version no longer matched the version of the database that was dumped. 1635. [bug] Memory leak on error in query_addds(). 1634. [bug] named didn't supply a useful error message when it detected duplicate views. [RT #11208] 1633. [bug] named should return NOTIMP to update requests to a slaves without a allow-update-forwarding acl specified. [RT #11331] 1632. [bug] nsupdate failed to send prerequisite only UPDATE messages. [RT #11288] 1631. [bug] dns_journal_compact() could sometimes corrupt the journal. [RT #11124] 1630. [contrib] queryperf: add support for IPv6 transport. 1629. [func] dig now supports IPv6 scoped addresses with the extended format in the local-server part. [RT #8753] 1628. [bug] Typo in Compaq Trucluster support. [RT# 11264] 1627. [bug] win32: sockets were not being closed when the last external reference was removed. [RT# 11179] 1626. [bug] --enable-getifaddrs was broken. [RT#11259] 1625. [bug] named failed to load/transfer RFC2535 signed zones which contained CNAMES. [RT# 11237] 1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. --- 9.3.0beta3 released --- 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] 1623. [bug] A serial number of zero was being displayed in the "sending notifies" log message when also-notify was used. [RT #11177] 1622. [func] probe the system to see if IPV6_(RECV)PKTINFO is available, and suppress wildcard binding if not. 1621. [bug] match-destinations did not work for IPv6 TCP queries. [RT# 11156] 1620. [func] When loading a zone report if it is signed. [RT #11149] 1619. [bug] Missing ISC_LIST_UNLINK in end_reserved_dispatches(). [RT# 11118] 1618. [bug] Fencepost errors in dns_name_ishostname() and dns_name_ismailbox() could trigger a INSIST(). 1617. [port] win32: VC++ 6.0 support. 1616. [compat] Ensure that named's version is visible in the core dump. [RT #11127] 1615. [port] Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if it is defined. 1614. [port] win32: silence resource limit messages. [RT# 11101] 1613. [bug] Builds would fail on machines w/o a if_nametoindex(). Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif. [RT #11119] 1612. [bug] check-names at the option/view level could trigger an INSIST. [RT# 11116] 1611. [bug] solaris: IPv6 interface scanning failed to cope with no active IPv6 interfaces. 1610. [bug] On dual stack machines "dig -b" failed to set the address type to be looked up with "@server". [RT #11069] 1600. [bug] Duplicate zone pre-load checks were not case insensitive. 1599. [bug] Fix memory leak on error path when checking named.conf. 1598. [func] Specify that certain parts of the namespace must be secure (dnssec-must-be-secure). --- 9.3.0beta2 released --- 1609. [func] dig now has support to chase DNSSEC signature chains. Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES. 1608. [func] dig and host now accept -4/-6 to select IP transport to use when making queries. 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initialized structure. 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] 1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] 1594. [bug] 'rndc dumpdb' could prevent named from answering queries while the dump was in progress. [RT #10565] 1593. [bug] rndc should return "unknown command" to unknown commands. [RT# 10642] --- 9.3.0beta1 released ---