
	    BIND 9.5.1 Beta 1 is now available.

    BIND 9.5.1b1 is a beta maintenance release of BIND 9.5.

  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT
  URGENT                                                                URGENT 
  URGENT                Please read security alert below!               URGENT 
  URGENT                                                                URGENT 
  URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT

    BIND 9.5.1b1 contains the following security fixes:

2375.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949]

2384.	[security]	Additional support for query port randomization (change
			#2375) including performance improvement and port range
			specification.  [RT #17949, #18098]

    Thanks to recent work by Dan Kaminsky of IOActive, ISC has become
    aware of a potential attack exploiting weaknesses in the DNS protocol
    itself to enable the poisoning of caching recurive resolvers with
    spoofed data.

    For additional information about this vulnerability, see US-CERT
    (CERT VU#800113 DNS Cache Poisoning Issue).  For more details on the
    changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.

    IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.

    DNSSEC is the only definitive solution for this issue.  Understanding
    that immediate DNSSEC deployment is not a realistic expectation, ISC
    is releasing patched versions of BIND that improve its resilience
    against this attack.  The method used makes it harder to spoof answers
    to a resolver by expanding the range of UDP ports from which queries
    are sent by the nameserver, thereby increasing the variability of
    parameters in outgoing queries.

BIND 9.5.1b1 can be downloaded from

        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz

The PGP signature of the distribution is at

        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.asc
        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.

A binary kit for Windows 2000, Windows XP and Window 2003 is at

	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip

The PGP signature of the binary kit for Windows 2000, Windows XP and
Window 2003 is at
        
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha512.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha256.asc
	ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha512.asc

Changes since 9.5.0:

	--- 9.5.1b1 released ---

2385.	[bug]		A condition variable in socket.c could leak in
			rare error handling [RT #17968].

2384.	[security]	Additional support for query port randomization (change
			#2375) including performance improvement and port range
			specification.  [RT #17949, #18098]

2383.	[bug]		named could double queries when they resulted in
			SERVFAIL due to overkilling EDNS0 failure detection.
			[RT #18182]

2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
			to ARM.

2381.	[port]		dlz/mysql: support multiple install layouts for
			mysql.  <prefix>/include/{,mysql/}mysql.h and
			<prefix>/lib/{,mysql/}. [RT #18152]

2380.	[bug]		dns_view_find() was not returning NXDOMAIN/NXRRSET
			proofs which, in turn, caused validation failures
			for insecure zones immediately below a secure zone
			the server was authoritative for. [RT #18112] 

2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
			TLDs and supported RRs with TTLs [RT #17972]

2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
			[RT #18169]

2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]

2376.	[bug]		Change #2144 was not complete.

2375.	[security]	Fully randomize UDP query ports to improve
			forgery resilience. [RT #17949]

2373.	[bug]		Default values of zone ACLs were re-parsed each time a
			new zone was configured, causing an overconsumption
			of memory. [RT #18092]

