BIND 9.20.17, 9.18.43, and 9.21.16 released
BIND 9.20.17, along with 9.19.43 and the latest development release, 9.21.16, has recently become available.
For the outgoing queries in BIND 9.20.17, specifically how it deals with name resolution for delegation points, they've made some improvements. It used to require more queries for certain kinds of lookups; now it uses fewer ones. These changes should make things faster, especially if you're using a DNS resolver that doesn't know much about the domain (a cold cache) and dealing with complicated chains or redirections.
Elsewhere in 9.20.17, there's another change: when memory allocation fails during setup, it provides more specific details now. This feature isn't just for show; getting precise error info helps figure out problems quicker if they happen on the wire.
This release also wrapped up a couple of bugs related to query resolution itself. One was about timeouts; sometimes loops didn't get caught right away, which could cause delays, especially fixed ones lasting ten seconds. That seems fixed now.
And there's something else: before, switching from NSEC3 back to NSEC records after retransfer could mess up the signing due to a mismatched journal file on secondary servers (inline-signing). BIND developers have addressed that too.
If you're doing DNS management stuff involving 'AMTRELAY type 0,' know this: there was an issue with how it handled presentation formats and checked/created the placeholder period for the gateway field when no gateway was actually present. That's been corrected, but if your zone files already include such records, they'll likely need updating manually.
There's also a parsing bug fixed in remote-server settings related to keys or TLS configurations that prevented certain setups from loading properly and threw up an "unexpected token" error before launch. This matter should be cleared now.
BIND 9.19.43 addresses similar issues, offering earlier fixes for users on older versions who want improvements without waiting for a major release.
Then there's the new development code: version 9.21.16 offers several upgrades and changes beyond what was fixed in 9.20.17. 'dig' command users will be pleased; it now has options to show truncated messages before trying TCP again or display all DNS packet details in a much more compact way.
They have also improved the 'rndc dnssec -status' output by adding a verbose mode option. This update enhances the clarity of status reporting when examining key health and rollover progress. Plus, they've tweaked how the QNAME minimization algorithm works, ensuring it plays nicely according to standards even in some unusual authoritative DNS setups.
The 'prefetch' setting now comes with stricter rules enforced during startup or named-checkconf checks. If you set the trigger value too high (over 10) or fail to keep a significant gap between your key's current state and its rollover eligibility, the server will only load if those conditions are met.
And catalog zones are getting more restricted; they can no longer be used with non-IN views. If you try to configure this, the server will outright refuse to start up, or named-checkconf will flag an error.
Finally, the remote-servers section includes a quick note about another parsing fix related to key/TLS setups, which is also addressed there along with other background changes.
The new versions can be downloaded from the ISC software download page.
