NAMED-040_A053 RELEASE NOTES				       10-Feb-2009

    NAMED-040_A053 -- ECO Rank 1
    -------------------------------------------------------------------------
    The following changes have been made in this kit:

    - Corrects problem when using RNDC from a remote host to control a 
      MultiNet NAMED server. (D/E 10983)

    - Incorporated BIND 9.6.1-P3 updates, which is a SECURITY PATCH for BIND 
      9.6.1.  It addresses two potential cache poisoning vulnerabilities, both 
      of which could allow a validating recursive nameserver to cache data 
      which had not been authenticated or was invalid. (D/E 10981)

    - Addresses performance issues for NAMED server on VAX (D/E 10946)

    - When validating with DNSSEC, track whether pending data was from
      the additional section or not and only return it if it validates as 
      secure (CVE-2009-4022).  (D/E 10945)

    - Added support for SPF and IPSEC RR data types (D/E 10931)

    This kit also includes changes from previous ECOs:	

    - Corrects problem when receiving queries over IPv6 network connections 
		(NAMED-030_A053 D/E 10917)

    - Corrects intermittent fatal error in supporting socket library 
		(NAMED-020_A053 D/E 10902)

    - Implemented ISC security fix to protect against DoS attacks with dynamic
      updates (ISC BIND 9.6.1-p1) 
		(NAMED-010_A053  D/E 10893)

    - Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC 
      release. 
		(NAMED-010_A053  D/E 10883)

    - Implemented ISC security fix to protect against DoS attacks with dynamic
      updates (ISC BIND 9.6.1-p1) (D/E 10893)

    - Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC 
      release. (D/E 10883)

      Bind 9.6.1 has a number of new features over previous versions, including,
      but not limited to:

	- Full NSEC3 support
	- Automatic zone re-signing
	- New update-policy methods tcp-self and 6to4-self
	- Improved statistics reporting

    - Added support for MULTINET NSUPDATE command line parsing  (D/E 10547)
 
    - Added functionality to specify a specific operator class for OPCOM messages.
      Using the logical MULTINET_NAMED_OPCOM_TARGET a system administrator can
      define a value from OPER1 through OPER12.  The default or undefined value is
      the NETWORK class. (D/E 10409)

    -------------------------------------------------------------------------
    This kit, as it also applies to MultiNet version 5.2 Rev A, includes the 
    following changes from previous ECOs :

    	- Corrects a problem with the timestamps used in TSIG keys when making
	  or validating NSUPDATE requests.  (D/E 10820, ECO NAMED-080_A052) 

	- Corrects an intermittent fatal error found in one of the supporting 
	  named libraries. (D/E 10793 ECO NAMED-070_A052)

	- Corrects a temporary file handling problem with the netc reload 
	  functionality. (D/E 10791 ECO NAMED-070_A052)

	- Corrects a problem not fixed correctly in the previous kit.  Temporary
	  cache files can now be created on alternate system devices. 
		(D/E 10767 ECO NAMED-070_A052)

	- Restore automatic forging of A records for Cluster Service hosts when
          the MULTINET_CLUSTER_SERVICE_NAMES logical is defined. 
		(D/E 10509 ECO NAMED-060_A052) 

		** PLEASE NOTE ** If your existing configuration includes a 
		zone definition with A records for cluster service members, 
		and you have defined the MULTINET_CLUSTER_SERVICE_NAMES
		logical, you may see a duplicate zone error message when 
		the nameserver attempts to load the configuration.  Either 
		comment out the zone file definition or deassign the logical 
		name. 

	- Corrects problem where the lowest rated node did not have a load
	  rating displayed by the netcontrol domain show function. 
		(D/E 10765 ECO NAMED-060_A052)

	- Implement latest ISC patch to address performance issues in the 
          9.4.2-p1 release. (D/E 10767 ECO NAMED-060_A052)

	- Corrects file lock error with the netcontrol domain reload function.
	  (D/E 10778 ECO NAMED-060_A052)
    
	- Implement latest ISC security patch.  ISC released 9.4.2-p1 to
	  combat a potential attack exploiting weaknesses in the DNS 
	  protocol which can enable the poisoning of caching recursive 
	  resolvers with spoofed data.
		(D/E 10750 ECO NAMED-050_A052)

 	- Corrected problem with Nameserver Rewrite-TTL variable
		(D/E 10749 ECO NAMED-050_A052)

	- Corrects a problem with cluster services/load balancing introduced by
          the NAMED-030_A052 ECO.
		(D/E 10744 ECO NAMED-040_A052) ECO Rank: 3

        - implement recent ISC security update to fix the Cache
          Poisoning problem which could result in pharming attacks when
          the nameserver is configured as caching-only.
                (D/E 10556 ECO NAMED-030_A052)  ECO Rank: 0

	- correct logging problem where specifying a file version limit 
	  could cause the nameserver to crash
		(D/E 10550 ECO NAMED-020_A052)  ECO Rank: 2

	- correct possible locking/cpu usage issues on VAX platforms
		(ECO NAMED-020_A052) ECO Rank: 2

	- RNDC-CONFGEN image installed as part of Nameserver tool base
		(ECO NAMED-020_A052) ECO Rank: 2

	- corrected problem with handling of type 0/invalid class queries
		(D/E 10528 ECO NAMED-010_A052)  ECO Rank: 2

	- corrected version number problem with local database files, will
	  no longer create multiple file versions after zone transfers
		(D/E 10527 ECO NAMED-010_A052)  ECO Rank: 2

 	- RNDC image installed as part of Nameserver tool base
		(D/E 10523 ECO NAMED-010_A052)  ECO Rank: 2

	- corrected problem where Nameserver could crash/hang with "UDP
	  client handler shutting down" message
		(D/E 10519 ECO NAMED-010_A052)  ECO Rank: 2
		 ** NOTE - REQUIRES ECO UCXDRIVER-010_A052 or LATER

 	- allow debug log file to be accessed while Nameserver is running

	- corrected intermittent problem with netcontrol domain restart 
	  command

-----------------------------------------------------------------------------

    ** PLEASE NOTE **  
	With increased security, BIND 9 significantly restricts those
	servers that were previously recursive servers for more than
	"localhost; localnets;" unless configuration changes are made.

	To retain the behavior prior to BIND 9.4.1-P1, the following entries 
	should be created in your named.conf file:

	 options {
	     allow-recursion { any; };
	     allow-query { any; };
 	     allow-query-cache { any; };
 	};

    For further information on using RNDC and other BIND tools, 
    we  recommend referring to O'Reilly's DNS and BIND, 4th Edition.

    To run any of the support tools, define symbols, i.e.:

	$ nsupdate :== $multinet:nsupdate.exe
	$ rndc :== $multinet:rndc.exe
	$ rndcconfgen :== $multinet:rndc-confgen.exe

    You need to restart the Nameserver for these changes to take effect.  The
    following commands will do it:

	$ multinet netcontrol domain shutdown
	$ @multinet:start_server restart