BIND 9.3.2 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

BIND 9.3.2 release notes

HP-UX 11i v1, HP-UX 11i v2, HP-UX 11i v3

HP Part Number: 5900-0934

Published: September 2010

Summary of content (24 pages)

PAGE 1
BIND 9.3.
PAGE 2
Legal Notices © Copyright 2003-2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 BIND 9.3.2 Release Notes...........................................................................................................5 Announcement.....................................................................................................................6 What Is In This Version........................................................................................................6 BIND 9.3.2 Features...............................................................................
PAGE 4
List of Tables 1-1 1-2 1-3 1-4 1-5 1-6 1-7 1-8 1-9 1-10 4 Security-Related RRs in a Signed Zone.........................................................................7 New DNSSEC Options..................................................................................................7 New Options in the Options Statement........................................................................9 Options to Enable and Disable IXFR...........................................................................
PAGE 5
1 BIND 9.3.2 Release Notes This document discusses the most recent product information pertaining to Berkeley Internet Name Domain (BIND) 9.3.2. It also discusses how to install BIND 9.3.2 on the HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. This document addresses the following topics: • • • • • • • • • “Announcement” (page 6) “What Is In This Version” (page 6) “BIND 9.3.2 Features” (page 6) “Changed Features” (page 15) “Installing BIND 9.3.
PAGE 6
Announcement BIND is a Berkeley implementation of the Domain Name System (DNS). It is a distributed network information lookup service that maps host names to Internet addresses, and Internet addresses to host names. It also facilitates Internet mail routing by providing a list of hosts that accept mail for other hosts. BIND 9.3.2 is the latest Web upgrade version of BIND. It is available for download at: http://h20293.www2.hp.
PAGE 7
(Protocol Modifications for the DNS Security Extension). The DNSSEC implementation provides the following new features: • Signed Zone A signed zone contains additional security-related resource records (RRs). Table 1-1 describes additional security-related records in BIND 9.3.2. Table 1-1 Security-Related RRs in a Signed Zone RR Type Description DNS Public Key (DNSKEY) Enables normal DNS resolution and stores public keys. The DNSKEY record replaces the KEY record.
PAGE 8
For more information on the new DNSSEC options, see named.conf(1) • New DNSSEC statement in the options statement BIND 9.3.2 contains trusted-keys, a new DNSSEC statement in the options statement located in /etc/named.conf file. The trusted-keys statement defines DNSSEC security roots. A security root is defined when the public key for a non-authoritative zone cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned.
PAGE 9
The masters_list option specifies one or more IP addresses of master servers, which the slave can contact to update its copy of the zone. The masters_list elements can also be names of other master lists. This list can be used in the masters clause in the zone statement. Following is a sample acl statement that assigns a symbolic name to an address match list: acl acl1 { 15.70.190.186; 15.70.190.115; }; Following is a sample zone statement with the masters clause: zone "example.
PAGE 10
Table 1-3 New Options in the Options Statement (continued) Option Description avoid-v4-udp-ports and avoid-v6-udp-ports Avoids named from selecting certain ports use-v4-udp-ports and use-v6-udp-ports Specifies the port range to be selected by named query-source-v6 Specifies the address and port used for queries tcp-listen-queue This option specifies the length of the listen queue. The default and minimum values are 3.
PAGE 11
multiple records in a response, it is useful to configure the order of the records placed into the response. Following is the syntax of the rrset-order option: rrset-order {order_spec}; Where, an order_spec can be defined as follows: [class class_name] [ type type_name ] [ name domain_name] order ordering The default value for class and type is ANY, and for name is *.
PAGE 12
domain names in the RDATA of NS, SOA, and MX records. It also applies to the RDATA of PTR records where the owner name indicates that it is a reverse lookup of a hostname (the owner name ends with in-addr.arpa, ip6.arpa, or ip6.int). The default value of the check-names option depends on the usage area. For master zones, the default value is fail. For slave zones, the default value is warn. For an answer (response) received from the network, the default value is ignore.
PAGE 13
addresses. This option specifies host names or addresses of systems that access both IPv4 and IPv6 transports. If the host name is specified, a name server must be able to resolve a host name by using only the transport supported by the name server. If the dual-stack-servers option is used in dual-stacked system, this option does not have any influence if access to the IPv4 or IPv6 transport is disabled on the command line using the named -4 command or named -6 command, respectively.
PAGE 14
New Command-Line Options Table 1-5 lists the new command-line options for the various binaries and tools in BIND 9.3.2. Table 1-5 New Command-Line Options 14 Binaries/Tools Options Description dnssec-keygen -f flag Sets the specified flag in the flag field of the KEY or DNSKEY record. The only recognized flag is Signed Key (KSK) DNSKEY. dnssec-keygen -k Generates KEY records, instead of the DNSKEY records dnssec-signzone -g Generates DS records for child zones from the keyset files.
PAGE 15
Table 1-5 New Command-Line Options (continued) Binaries/Tools Options Description named -6 Specifies named to use only the IPv6 transport even if the host system is capable of handling IPv4 addresses nsupdate -t Sets the maximum timeout value for an update request before it can abort. The default value is 300 seconds. To disable the timeout, set this option to 0. nsupdate -u Sets the UDP retry interval. The default value is 3 seconds.
PAGE 16
— In BIND 9.3.2, the key file supplied to nsupdate using the -k option must contain a key of the type KEY and not DNSKEY. — The dnssec-signzone command creates the db..signed file, which contains the NSEC (corresponding to the NXT record in 9.2.0) and RRSIG (corresponding to the SIG record in 9.2.0) records. Additionally, it creates a dsset- file that contains the DS record and the keyset- file that contains the DNSKEY record. • The following dig features are modified in BIND 9.3.
PAGE 17
NOTE: If you have installed the Web upgrade version of BIND 9.2.0 on an HP-UX 11i v1 system, ensure that you remove the BIND 9.2.0 depot before installing BIND 9.3.2. Installation Instructions To install BIND 9.3.2, complete the following steps: 1. 2. Review to ensure that your system meets BIND 9.3.2 installation requirements. Go to the HP Software Depot website at: http://h20293.www2.hp.com/ 3. 4. 5. 6. 7. 8. Use the Search button to browse for BIND. The product catalog page is displayed.
PAGE 18
NOTE: Ensure that the DNSUPGRADE.PHNE_33766 product or the DNSUPGRADE.PHNE_34226 product is installed before installing the DNSUPGRADE.BindUpgrade product. If you have installed the PHNE_33766 or PHNE_34226 patch or any of its superseding patches, you need not install the DNSUPGRADE.PHNE_33766 or DNSUPGRADE.PHNE_34226 product. 14. Press the space bar to select the product that you wish to install. IMPORTANT: Do not install Web release versions of BIND prior to BIND 9.3.2, after installing the DNSUPGRADE.
PAGE 19
# Initializing... # Contacting target "hostname"... # # Target: hostname:/ # BindUpgrade C.9.3.2.7.0 BIND special release upgrade • On an HP-UX 11i v3 operating system # Initializing... # Contacting target "hostname"... # # Target: hostname:/ # # HPUX-NameServer HPUX-NameServer.NameService daemons and utilities C.9.3.2.8.0 C.9.3.2.8.0 HPUX Name Server Berkeley Internet Name Domain Server Protocol Unsupported Features Following are the unsupported features in BIND 9.3.2: • The following BIND 9.2.
PAGE 20
Table 1-8 BIND 9.3.2 Manpages Manpage Description dnssec-keygen(1) Tool to generate keys for DNSSEC dnssec-signzone(1) Tool to sign the DNSSEC zone host(1) Utility for DNS lookup named-checkconf(1) Tool to check the syntax of the named configuration file named-checkzone(1) Tool to check the validity of a zone nslookup.
PAGE 21
It discusses the following topics: • • “Defects Fixed in the HP-UX 11i v1 and HP-UX 11i v2 Operating Systems” (page 21) “Defects Fixed in the HP-UX 11i v3 Operating System” (page 22) Defects Fixed in the HP-UX 11i v1 and HP-UX 11i v2 Operating Systems Table 1-9 lists the defects fixed in BIND 9.3.2 in both the HP-UX 11i v1 and HP-UX 11i v2 operating systems. Table 1-9 Defects Fixed in both HP-UX 11i v1 and HP-UX 11i v2 Operating Systems Identifier Description Defects fixed in BIND 9.3.2 (C.9.3.2.7.
PAGE 22
Table 1-9 Defects Fixed in both HP-UX 11i v1 and HP-UX 11i v2 Operating Systems (continued) Identifier Description QXCR1000924015 DNSSEC Lookaside Validation (DLV) processing does not handle unknown signature algorithms correctly. Defects fixed in BIND 9.3.2 (C.9.3.2.3.0) QXCR1000577501 The rndc recursing output file named.recursing contains old data. QXCR1000821672 Forgery resilience needs more improvements. Defects fixed in BIND 9.3.2 (C.9.3.2.2.
PAGE 23
Table 1-10 Defects Fixed in the HP-UX 11i v3 Operating System (continued) Identifier Description QXCR1000962881 When named is started in a chroot environment, the following error is displayed: open(/dev/poll) failed: No such file or directory Defects fixed in BIND 9.3.2 (C.9.3.2.6.0) QXCR1000848700 Some DNS responses arriving at the host are not being delivered to the /usr/sbin/named process but instead are directed to other processes running on the same host.
PAGE 24
Table 1-10 Defects Fixed in the HP-UX 11i v3 Operating System (continued) 24 Identifier Description JAGag45362 Query ID generation is cryptographically weak. JAGag32951 named(1M) does not handle queries of type ANY properly. JAGag32950 named(1M) unexpectedly aborts under certain circumstances. BIND 9.3.