Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jeremy C. Reed (jreedisc.org)
Date: Thu Mar 01 2012 - 09:56:45 CST
-----BEGIN PGP SIGNED MESSAGE-----
Development release of BIND 10: bind10-devel-20120301
The 17th development release of the BIND 10 suite is now available.
Its notable additions include:
- - Ability to start multiple authoritative server or resolver
instances (resulting in significant query performance improvements
on multi-core machines).
- - b10-auth now supports signed zones (with NSEC and NSEC3) in the
in-memory data source.
- - Statistics counters added for b10-auth: per-opcode requests and
- - b10-xfrout now uses the global TSIG keyring for ACLs.
BIND 10 provides a DNS library in C++ with Python wrappers, an
authoritative DNSSEC-capable DNS server (with SQLite3 and in-memory
backends), and a recursive DNS server (with caching and forwarding).
It also includes other cooperating components for zone transfer
management, configuration management, remote control, statistics
collection, and more. BIND 10 also includes libdhcp++ and
proof-of-concept DHCP server code. We are using the prototype BIND
10 authoritative and recursive DNS servers in production.
This snapshot tarball and PGP signature can be downloaded at:
Users and developers are encouraged to participate on the BIND 10
We look forwarding to hearing about your experiences with BIND 10.
Jeremy C. Reed
BIND 10 Release Engineer
p.s. A summary of the significant changes since the previous release
include (from the ChangeLog):
390. [bug] vorner
The UDP IPv6 packets are now correctly fragmented for maximum
guaranteed MTU, so they won't get lost because being too large
for some hop.
(Trac #1534, git ff013364643f9bfa736b2d23fec39ac35872d6ad)
389. [func]* vorner
Xfrout now uses the global TSIG keyring, instead of its own. This
means the keys need to be set only once (in tsig_keys/keys).
However, the old configuration of Xfrout/tsig_keys need to be
removed for Xfrout to work.
(Trac #1643, git 5a7953933a49a0ddd4ee1feaddc908cd2285522d)
388. [func] jreed
Use prefix "sockcreator-" for the private temporary directory
used for b10-sockcreator communication.
387. [build] muks
Accept a --without-werror configure switch so that some builders can
disable the use of -Werror in CFLAGS when building.
(Trac #1671, git 8684a411d7718a71ad9fb616f56b26436c4f03e5)
386. [bug] jelte
Upon initial sqlite3 database creation, the 'diffs' table is now
always created. This already happened most of the time, but there
are a few cases where it was skipped, resulting in potential errors
in xfrout later.
(Trac #1717, git 30d7686cb6e2fa64866c983e0cfb7b8fabedc7a2)
385. [bug] jinmei
libdns++: masterLoad() didn't accept comments placed at the end of
an RR. Due to this the in-memory data source cannot load a master
file for a signed zone even if it's preprocessed with BIND 9's
Note: this fix is considered temporary and still only accepts some
limited form of such comments. The main purpose is to allow the
in-memory data source to load any signed or unsigned zone files as
long as they are at least normalized with named-compilezone.
(Trac #1667, git 6f771b28eea25c693fe93a0e2379af924464a562)
384. [func] jinmei, jelte, vorner, haikuo, kevin
b10-auth now supports NSEC3-signed zones in the in-memory data
(Trac #1580, #1581, #1582, #1583, #1584, #1585, #1587, and
other related changes to the in-memory data source)
383. [build] jinmei
Fixed build failure on MacOS 10.7 (Lion) due to the use of
IPV6_PKTINFO; the OS requires a special definition to make it
visible to the compiler.
(Trac #1633, git 19ba70c7cc3da462c70e8c4f74b321b8daad0100)
382. [func] jelte
b10-auth now also experimentally supports statistics counters of
the rcode responses it sends. The counters can be shown as
rcode.<code name>, where code name is the lowercase textual
representation of the rcode (e.g. "noerror", "formerr", etc.).
Same note applies as for opcodes, see changelog entry 364.
(Trac #1613, git e98da500d7b02e11347431a74f2efce5a7d622aa)
381. [bug] jinmei
b10-auth: honor the DNSSEC DO bit in the new query handler.
(Trac #1695, git 61f4da5053c6a79fbc162fb16f195cdf8f94df64)
380. [bug] jinmei
libdns++: miscellaneous bug fixes for the NSECPARAM RDATA
implementation, including incorrect handling for empty salt and
incorrect comparison logic.
(Trac #1638, git 966c129cc3c538841421f1e554167d33ef9bdf25)
379. [bug] jelte
Configuration commands in bindctl now check for list indices if
the 'identifier' argument points to a child element of a list
item. Previously, it was possible to 'get' non-existent values
by leaving out the index, e.g. "config show Auth/listen_on/port,
which should be config show Auth/listen_on[<index>]/port, since
Auth/listen_on is a list. The command without an index will now
show an error. It is still possible to show/set the entire list
("config show Auth/listen_on").
(Trac #1649, git 003ca8597c8d0eb558b1819dbee203fda346ba77)
378. [func] vorner
It is possible to start authoritative server or resolver in multiple
instances, to use more than one core. Configuration is described in
(Trac #1596, git 17f7af0d8a42a0a67a2aade5bc269533efeb840a)
377. [bug] jinmei
libdns++: miscellaneous bug fixes for the NSEC and NSEC3 RDATA
implementation, including a crash in NSEC3::toText() for some RR
types, incorrect handling of empty NSEC3 salt, and incorrect
comparison logic in NSEC3::compare().
(Trac #1641, git 28ba8bd71ae4d100cb250fd8d99d80a17a6323a2)
376. [bug] jinmei, vorner
The new query handling module of b10-auth did not handle type DS
query correctly: It didn't look for it in the parent zone, and
it incorrectly returned a DS from the child zone if it
happened to exist there. Both were corrected, and it now also
handles the case of having authority for the child and a grand
(Trac #1570, git 2858b2098a10a8cc2d34bf87463ace0629d3670e)
375. [func] jelte
Modules now inform the system when they are stopping. As a result,
they are removed from the 'active modules' list in bindctl, which
can then inform the user directly when it tries to send them a
command or configuration update. Previously this would result
in a 'not responding' error instead of 'not running'.
(Trac #640, git 17e78fa1bb1227340aa9815e91ed5c50d174425d)
374. [func]* stephen
Alter RRsetPtr and ConstRRsetPtr to point to AbstractRRset (instead
of RRset) to allow for specialised implementations of RRsets in
(Trac #1604, git 3071211d2c537150a691120b0a5ce2b18d010239)
373. [bug] jinmei
libdatasrc: the in-memory data source incorrectly rejected loading
a zone containing a CNAME RR with RRSIG and/or NSEC.
(Trac #1551, git 76f823d42af55ce3f30a0d741fc9297c211d8b38)
372. [func] vorner
When the allocation of a socket fails for a different reason than the
socket not being provided by the OS, the b10-auth and b10-resolver
abort, as the system might be in inconsistent state after such error.
(Trac #1543, git 49ac4659f15c443e483922bf9c4f2de982bae25d)
371. [bug] jelte
The new query handling module of b10-auth (currently only used with
the in-memory data source) now correctly includes the DS record (or
the denial of its existence if NSEC is used) when returning a
delegation from a signed zone.
(Trac #1573, git bd7a3ac98177573263950303d4b2ea7400781d0f)
370. [func] jinmei
libdns++: a new class NSEC3Hash was introduced as a utility for
calculating NSEC3 hashes for various purposes. Python binding was
provided, too. Also fixed a small bug in the NSEC3PARAM RDATA
implementation that empty salt in text representation was
(Trac #1575, git 2c421b58e810028b303d328e4e2f5b74ea124839)
369. [func] vorner
The SocketRequestor provides more information about what error
happened when it throws, by using subclasses of the original
exception. This way a user not interested in the difference can
still use the original exception, while it can be recognized if
(Trac #1542, git 2080e0316a339fa3cadea00e10b1ec4bc322ada0)
368. [func]* jinmei
libdatasrc: the interface of ZoneFinder() was changed: WILDCARD
related result codes were deprecated and removed, and the
corresponding information is now provided via a separate accessor
method on FindResult. Other separate FindResult methods will
also tell the caller whether the zone is signed with NSEC or NSEC3
(when necessary and applicable).
(Trac #1611, git c175c9c06034b4118e0dfdbccd532c2ebd4ba7e8)
367. [bug] jinmei
libdatasrc: in-memory data source could incorrectly reject to load
zones containing RRSIG records. For example, it didn't allow
RRSIG that covers a CNAME RR. This fix also makes sure find()
will return RRsets with RRSIGs if they are signed.
(Trac #1614, git e8241ea5a4adea1b42a60ee7f2c5cfb87301734c)
366. [bug] vorner
Fixed problem where a directory named "io" conflicted with the python3
standard module "io" and caused the installation to fail. The
offending directory has been renamed to "cio".
(Trac #1561, git d81cf24b9e37773ba9a0d5061c779834ff7d62b9)
365. [bug] jinmei
libdatasrc: in-memory datasource incorrectly returned delegation
for DS lookups.
(Trac #1571, git d22e90b5ef94880183cd652e112399b3efb9bd67)
364. [func] jinmei
b10-auth experimentally supports statistics counters of incoming
requests per opcode. The counters can be (e.g.) shown as
opcode.<code name> in the output of the bindctl "Stats show"
command, where <code name> is lower-cased textual representation
of opcodes ("query", "notify", etc).
Note: This is an experimental attempt of supporting more
statistics counters for b10-auth, and the interface and output may
change in future versions.
(Trac #1399, git 07206ec76e2834de35f2e1304a274865f8f8c1a5)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
-----END PGP SIGNATURE-----
bind-announce mailing list