bind/doc/notes/notes-current.rst

.. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.

Notes for BIND 9.17.12
----------------------

Security Fixes
~~~~~~~~~~~~~~

- None.

Known Issues
~~~~~~~~~~~~

- None.

New Features
~~~~~~~~~~~~

- None.

Removed Features
~~~~~~~~~~~~~~~~

- None.

Feature Changes
~~~~~~~~~~~~~~~

- The GSSAPI no longer uses the ISC implementation of the SPNEGO
  mechanism and instead relies on the SPNEGO implementation from the
  system Kerberos library. All major Kerberos libraries contain the
  SPNEGO mechanism implementation. This change was implemented in BIND
  9.17.2, but it was not included in the release notes at the time.
  [GL #2607]

Bug Fixes
~~~~~~~~~

- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
  ``named`` now updates the keys immediately, avoiding unnecessary rollover
  delays. [#2488]

- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
  This has been fixed. [GL #2523]

- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
  secure to insecure. "named-checkzone" no longer complains if such records
  exist in an unsigned zone. [GL #2517]

- Fix a crash when transferring a zone over TLS, after "named" previously
  skipped a master. [GL #2562]

- It was discovered that the TCP idle and initial timeouts were incorrectly
  applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
  was applied on the whole connection, even if the connection were still active,
  which could cause a large zone transfer to be sent back to the client. The
  default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
  any TCP connection taking more than 30 seconds was abruptly terminated. This
  has been fixed [GL #2573].
Set up release notes for BIND 9.17.12 2021-03-18 15:58:15 +01:00			`..`
			`Copyright (C) Internet Systems Consortium, Inc. ("ISC")`

			`This Source Code Form is subject to the terms of the Mozilla Public`
			`License, v. 2.0. If a copy of the MPL was not distributed with this`
			`file, you can obtain one at https://mozilla.org/MPL/2.0/.`

			`See the COPYRIGHT file distributed with this work for additional`
			`information regarding copyright ownership.`

			`Notes for BIND 9.17.12`
			`----------------------`

			`Security Fixes`
			`~~~~~~~~~~~~~~`

			`- None.`

			`Known Issues`
			`~~~~~~~~~~~~`

			`- None.`

			`New Features`
			`~~~~~~~~~~~~`

			`- None.`

			`Removed Features`
			`~~~~~~~~~~~~~~~~`

			`- None.`

			`Feature Changes`
			`~~~~~~~~~~~~~~~`

Add CHANGES and release note for GL #2607 2021-04-01 10:28:06 +02:00			`- The GSSAPI no longer uses the ISC implementation of the SPNEGO`
			`mechanism and instead relies on the SPNEGO implementation from the`
			`system Kerberos library. All major Kerberos libraries contain the`
			`SPNEGO mechanism implementation. This change was implemented in BIND`
			`9.17.2, but it was not included in the release notes at the time.`
			`[GL #2607]`
Set up release notes for BIND 9.17.12 2021-03-18 15:58:15 +01:00
			`Bug Fixes`
			`~~~~~~~~~`

Rekey immediately after rndc checkds/rollover Call 'dns_zone_rekey' after a 'rndc dnssec -checkds' or 'rndc dnssec -rollover' command is received, because such a command may influence the next key event. Updating the keys immediately avoids unnecessary rollover delays. The kasp system test no longer needs to call 'rndc loadkeys' after a 'rndc dnssec -checkds' or 'rndc dnssec -rollover' command. 2021-03-17 15:57:34 +01:00			- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
			``named`` now updates the keys immediately, avoiding unnecessary rollover
			`delays. [#2488]`

Set up release notes for BIND 9.17.12 2021-03-18 15:58:15 +01:00			- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
			`This has been fixed. [GL #2523]`

Add CHANGES and notes for [#2517] 2021-03-17 10:09:59 +01:00			`- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from`
			`secure to insecure. "named-checkzone" no longer complains if such records`
			`exist in an unsigned zone. [GL #2517]`

Set up release notes for BIND 9.17.12 2021-03-18 15:58:15 +01:00			`- Fix a crash when transferring a zone over TLS, after "named" previously`
			`skipped a master. [GL #2562]`
Add CHANGES and release note for GL #2573 2021-03-17 13:42:19 +01:00
			`- It was discovered that the TCP idle and initial timeouts were incorrectly`
			applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
			`was applied on the whole connection, even if the connection were still active,`
			`which could cause a large zone transfer to be sent back to the client. The`
			default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
			`any TCP connection taking more than 30 seconds was abruptly terminated. This`
			`has been fixed [GL #2573].`