BIND 9.6.1 is now available. BIND 9.6.1 is a maintenance release for BIND 9.6. BIND 9.6.1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.6.1/bind-9.6.1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.6.1/bind-9.6.1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.6.1/bind-9.6.1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1/bind-9.6.1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at . A binary kit for Windows XP, Windows 2003 and Windows 2008 is at ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.zip ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.debug.zip The PGP signature of the binary kit is at ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.6.1/BIND9.6.1.debug.zip.sha512.asc Changes since 9.6.0: --- 9.6.1 released --- 2607. [bug] named could incorrectly delete NSEC3 records for empty nodes when processing a update request. [RT #19749] 2606. [bug] "delegation-only" was not being accepted in delegation-only type zones. [RT #19717] 2605. [bug] Accept DS responses from delegation only zones. [RT # 19296] 2603. [port] win32: handle .exe extension of named-checkzone and named-comilezone argv[0] names under windows. [RT #19767] 2602. [port] win32: fix debugging command line build of libisccfg. [RT #19767] --- 9.6.1rc1 released --- 2599. [bug] Address rapid memory growth when validation fails. [RT #19654] 2597. [bug] Handle a validation failure with a insecure delegation from a NSEC3 signed master/slave zone. [RT #19464] 2596. [bug] Stale tree nodes of cache/dynamic rbtdb could stay long, leading to inefficient memory usage or rejecting newer cache entries in the worst case. [RT #19563] 2595. [bug] Fix unknown extended rcodes in dig. [RT #19625] 2592. [bug] Treat "any" as a type in nsupdate. [RT #19455] 2591. [bug] named could die when processing a update in removed_orphaned_ds(). [RT #19507] 2588. [bug] SO_REUSEADDR could be set unconditionally after failure of bind(2) call. This should be rare and mostly harmless, but may cause interference with other processes that happen to use the same port. [RT #19642] 2586. [bug] Missing cleanup of SIG rdataset in searching a DLZ DB or SDB. [RT #19577] 2585. [bug] Uninitialized socket name could be referenced via a statistics channel, triggering an assertion failure in XML rendering. [RT #19427] 2584. [bug] alpha: gcc optimization could break atomic operations. [RT #19227] 2583. [port] netbsd: provide a control to not add the compile date to the version string, -DNO_VERSION_DATE. 2582. [bug] Don't emit warning log message when we attempt to remove non-existant journal. [RT #19516] 2579. [bug] DNSSEC lookaside validation failed to handle unknown algorithms. [RT #19479] 2578. [bug] Changed default sig-signing-type to 65534, because 65535 turns out to be reserved. [RT #19477] 2499. [port] solaris: lib/lwres/getaddrinfo.c namespace clash. [RT #18837] --- 9.6.1b1 released --- 2577. [doc] Clarified some statistics counters. [RT #19454] 2576. [bug] NSEC record were not being correctly signed when a zone transitions from insecure to secure. Handle such incorrectly signed zones. [RT #19114] 2574. [doc] Document nsupdate -g and -o. [RT #19351] 2573. [bug] Replacing a non-CNAME record with a CNAME record in a single transaction in a signed zone failed. [RT #19397] 2568. [bug] Report when the write to indicate a otherwise successful start fails. [RT #19360] 2567. [bug] dst__privstruct_writefile() could miss write errors. write_public_key() could miss write errors. dnssec-dsfromkey could miss write errors. [RT #19360] 2564. [bug] Only take EDNS fallback steps when processing timeouts. [RT #19405] 2563. [bug] Dig could leak a socket causing it to wait forever to exit. [RT #19359] 2562. [doc] ARM: miscellaneous improvements, reorganization, and some new content. 2561. [doc] Add isc-config.sh(1) man page. [RT #16378] 2560. [bug] Add #include to iptable.c. [RT #18258] 2559. [bug] dnssec-dsfromkey could compute bad DS records when reading from a K* files. [RT #19357] 2557. [cleanup] PCI compliance: * new libisc log module file * isc_dir_chroot() now also changes the working directory to "/". * additional INSISTs * additional logging when files can't be removed. 2556. [port] Solaris: mkdir(2) on tmpfs filesystems does not do the error checks in the correct order resulting in the wrong error code sometimes being returned. [RT #19249] 2554. [bug] Validation of uppercase queries from NSEC3 zones could fail. [RT #19297] 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2552. [bug] zero-no-soa-ttl-cache was not being honoured. [RT #19340] 2551. [bug] Potential Reference leak on return. [RT #19341] 2550. [bug] Check --with-openssl= finds . [RT #19343] 2549. [port] linux: define NR_OPEN if not currently defined. [RT #19344] 2548. [bug] Install iterated_hash.h. [RT #19335] 2547. [bug] openssl_link.c:mem_realloc() could reference an out-of-range area of the source buffer. New public function isc_mem_reallocate() was introduced to address this bug. [RT #19313] 2545. [doc] ARM: Legal hostname checking (check-names) is for SRV RDATA too. [RT #19304] 2544. [cleanup] Removed unused structure members in adb.c. [RT #19225] 2543. [contrib] Update contrib/zkt to version 0.98. [RT #19113] 2542. [doc] Update the description of dig +adflag. [RT #19290] 2541. [bug] Conditionally update dispatch manager statistics. [RT #19247] 2539. [security] Update the interaction between recursion, allow-query, allow-query-cache and allow-recursion. [RT #19198] 2538. [bug] cache/ADB memory could grow over max-cache-size, especially with threads and smaller max-cache-size values. [RT #19240] 2537. [experimental] Added more statistics counters including those on socket I/O events and query RTT histograms. [RT #18802] 2536. [cleanup] Silence some warnings when -Werror=format-security is specified. [RT #19083] 2535. [bug] dig +showsearh and +trace interacted badly. [RT #19091] 2532. [bug] dig: check the question section of the response to see if it matches the asked question. [RT #18495] 2531. [bug] Change #2207 was incomplete. [RT #19098] 2530. [bug] named failed to reject insecure to secure transitions via UPDATE. [RT #19101] 2529. [cleanup] Upgrade libtool to silence complaints from recent version of autoconf. [RT #18657] 2528. [cleanup] Silence spurious configure warning about --datarootdir [RT #19096] 2527. [bug] named could reuse cache on reload with enabling/disabling validation. [RT #19119] 2525. [experimental] New logging category "query-errors" to provide detailed internal information about query failures, especially about server failures. [RT #19027] 2524. [port] sunos: dnssec-signzone needs strtoul(). [RT #19129] 2523. [bug] Random type rdata freed by dns_nsec_typepresent(). [RT #19112] 2522. [security] Handle -1 from DSA_do_verify() and EVP_VerifyFinal(). 2521. [bug] Improve epoll cross compilation support. [RT #19047] 2519. [bug] dig/host with -4 or -6 didn't work if more than two nameserver addresses of the excluded address family preceded in resolv.conf. [RT #19081] 2517. [bug] dig +trace with -4 or -6 failed when it chose a nameserver address of the excluded address. [RT #18843] 2516. [bug] glue sort for responses was performed even when not needed. [RT #19039] 2514. [bug] dig/host failed with -4 or -6 when resolv.conf contains a nameserver of the excluded address family. [RT #18848] 2511. [cleanup] dns_rdata_tofmttext() add const to linebreak. [RT #18885] 2506. [port] solaris: Check at configure time if hack_shutup_pthreadonceinit is needed. [RT #19037] 2505. [port] Treat amd64 similarly to x86_64 when determining atomic operation support. [RT #19031] 2503. [port] linux: improve compatibility with Linux Standard Base. [RT #18793] 2502. [cleanup] isc_radix: Improve compliance with coding style, document function in . [RT #18534]