Wednesday, December 18, 2024

BIND 9.20 released: Enhanced DNSSEC support, application infrastructure improvements – Help Net Security

Must read

BIND (Berkeley Internet Name Domain) is an open-source DNS software system with an authoritative server, a recursive resolver, and related utilities. BIND 9.20, a stable branch suitable for production use, has been released. According to the current software release plan, this branch will be supported for four years – until the first quarter of 2028.

Who uses BIND?

  • Major financial institutions
  • National and international carriers
  • Regional and community ISPs
  • Retailers, manufacturers
  • Universities and educational networks
  • Government organizations

Application Infrastructure Improvements in BIND 9.20

The application core (the infrastructure that holds everything together) has been rewritten to use libuv asynchronous event loops exclusively. In BIND 9.16, the developers introduced a new networking manager using libuv as an asynchronous event handler on top of the existing application infrastructure. In BIND 9.20, the transition to libuv asynchronous loops is complete and BIND 9 is powered by libuv from the ground up. This simplifies and streamlines the internal infrastructure and allows us to keep the data processing pinned to threads and reduce context switching, which improves overall resource consumption.

At the same time, the developers are using specialised threadpools provided by libuv to offload long-duration tasks and, instead of quantising the work on our own, they rely on the operating system scheduler to provide fair scheduling between the networking and offloaded threads. This simplifies the code that powers Response Policy Zones, Catalog Zones, Zone Transfers, DNSSEC Validation, and a couple other long-running tasks – and improves latency when long-running tasks are mixed with normal DNS queries.

A new database backend, called QP trie, has been added to BIND 9 and made the default cache and zone database, replacing the venerable RBTDB (Red-Black Tree Database). The QP trie database uses the Userspace RCU (Read-Copy-Update) Library, which is now mandatory to compile and run BIND 9. Using Userspace RCU will allow the developers to remove POSIX locking as a synchronisation mechanism and replace it with Quiescent-State-Based Reclamation (QSBR) as a memory reclamation mechanism. Much work remains to be done, but in the future you should expect BIND 9 to be more scaleable on systems with many CPUs.

The DNS name compression algorithm used in BIND 9 has been revised: it now compresses more thoroughly than before, so responses containing names with many labels may have a more compact encoding than before.

BIND 9.20: Improvements in DNSSEC support

  • DNSSEC Policy is now the only option for managing signed zones. The auto-dnssec option has been removed.
  • Support for DNSSEC multi-signer model 2 (IETF RFC 8901) when using inline-signing was added.
  • PKCS#11 Support has been restored by utilising the new OpenSSL 3.0.0 Engine API.
  • HSM support was added to dnssec-policy. Keys can now be configured with a key-store that allows users to set the directory where key files are stored and to set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 provider to be configured for OpenSSL.

Feature updates

  • Catalog Zones schema version 2 (as described in the “DNS Catalog Zones” IETF draft version 5 document), is now supported by BIND 9.
  • More Extended DNS Errors are now supported.
  • The DNS over TCP and DNS over TLS implementations have been refactored to use a unified transport. This in turn allowed the developers to add the new PROXYv2 transport.
  • PROXYv2 support is available for all DNS transports currently supported by BIND.
  • Support for User Statically Defined Tracing (USDT) probes has been added. These probes enable fine-grained application tracing using the perf command and introduce no overhead when they are not enabled.
  • The statistics channel now includes information about incoming zone transfers in progress.

Download BIND 9.20

BIND 9 is open source and licensed under the MPL 2.0 license. Users can freely add functionality and contribute to the community through an open GitLab.

You can download BIND 9.20 here. Alternatively, you can install updated ISC packages for Ubuntu, CentOS/Fedora, or the standard Debian package. An official Docker image is available as well.

Must read:


Latest article