bind/doc/notes/notes-current.rst

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

Notes for BIND 9.17.23
----------------------

Security Fixes
~~~~~~~~~~~~~~

- None.

Known Issues
~~~~~~~~~~~~

- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
  inspected when verifying a remote certificate while establishing a
  DNS-over-TLS connection. Only SubjectAltName must be checked
  instead. Unfortunately, some quite old versions of cryptographic
  libraries might lack the functionality to ignore the Subject
  field. It should have minimal production use consequences, as most
  of the production-ready certificates issued by certificate
  authorities will have SubjectAltNames set. In such a case, the
  Subject field is ignored. Only old platforms are affected by this,
  e.g., those supplied with OpenSSL versions older than 1.1.1.

New Features
~~~~~~~~~~~~

- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a ``-J`` option to
  specify a journal file to read when loading the zone to be verified or
  signed. :gl:`#2486`

- Add support for remote TLS certificates verification, both to BIND
  and ``dig``, making it possible to implement Strict and Mutual TLS
  authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`

- Run RPZ updates on the specialized "offload" threads to reduce the amount
  of time they block query processing on the main networking threads.  This
  should increase the responsiveness of ``named`` when RPZ updates are being
  applied after an RPZ zone has been successfully transfered.  :gl:`#3190`

Removed Features
~~~~~~~~~~~~~~~~

- The ``keep-order-response`` option has been declared obsolete and the
  functionality has been removed.  :iscman:`named` expects DNS clients to be
  fully compliant with :rfc:`7766`. :gl:`#3140`

Feature Changes
~~~~~~~~~~~~~~~

- None.

Bug Fixes
~~~~~~~~~

- None.
Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00			`.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`..`
			`.. SPDX-License-Identifier: MPL-2.0`
			`..`
			`.. This Source Code Form is subject to the terms of the Mozilla Public`
			`.. License, v. 2.0. If a copy of the MPL was not distributed with this`
			`.. file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`..`
			`.. See the COPYRIGHT file distributed with this work for additional`
			`.. information regarding copyright ownership.`

			`Notes for BIND 9.17.23`
			`----------------------`

			`Security Fixes`
			`~~~~~~~~~~~~~~`

Remove release notes applying to BIND 9.18.x 2022-04-11 10:05:50 +02:00			`- None.`
Add CHANGES and release note for [GL #3129] 2022-02-10 20:40:29 +00:00
Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00			`Known Issues`
			`~~~~~~~~~~~~`

Update the "Known Issues" Mention that some old cryptographic library versions lack the functionality to implement ignoring the Subject field (and thus the Common Name) when establishing DoT connections. 2022-02-21 10:25:41 +02:00			`- According to RFC 8310, Section 8.1, the Subject field MUST NOT be`
			`inspected when verifying a remote certificate while establishing a`
			`DNS-over-TLS connection. Only SubjectAltName must be checked`
			`instead. Unfortunately, some quite old versions of cryptographic`
			`libraries might lack the functionality to ignore the Subject`
			`field. It should have minimal production use consequences, as most`
			`of the production-ready certificates issued by certificate`
			`authorities will have SubjectAltNames set. In such a case, the`
			`Subject field is ignored. Only old platforms are affected by this,`
			`e.g., those supplied with OpenSSL versions older than 1.1.1.`
Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00
			`New Features`
			`~~~~~~~~~~~~`

Hyperlink program names to their manual pages Use the new role :iscman: to replace all occurences or ``binary`` with :iscman:`binary`, creating a hyperlink to the manual page. Generated using: find bin -name .rst \| xargs fgrep --files-with-matches '.. iscman' \| xargs -I{} -n1 basename {} .rst > /tmp/progs for PROG in $(cat /tmp/progs); do find -name '.rst' \| xargs sed -i -e "s/\`\`$PROG\`\`/:iscman:\`$PROG\`/g"; done Additional hand-edits were done mainly around filter-aaaa and filter-a which are program names and and option names at the same time. Couple more edits was neede to fix .rst syntax broken by automatic replacement. 2022-03-03 22:17:04 +01:00			- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a ``-J`` option to
CHANGES and release note for [GL #2486] 2022-02-04 23:51:39 -08:00			`specify a journal file to read when loading the zone to be verified or`
			signed. :gl:`#2486`
Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00
Mention TLS certs verification in the CHANGES and Release Notes This commit adds points to the CHANGES and the release notes about supporting remote TLS certificates verification and support for Strict and Mutual TLS transport connections verification. 2022-02-21 16:02:32 +02:00			`- Add support for remote TLS certificates verification, both to BIND`
			and ``dig``, making it possible to implement Strict and Mutual TLS
			authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`

Add CHANGES and release note for [GL #3190] 2022-03-08 18:36:08 +01:00			`- Run RPZ updates on the specialized "offload" threads to reduce the amount`
			`of time they block query processing on the main networking threads. This`
			should increase the responsiveness of ``named`` when RPZ updates are being
			applied after an RPZ zone has been successfully transfered. :gl:`#3190`

Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00			`Removed Features`
			`~~~~~~~~~~~~~~~~`

Add CHANGES and release note for [GL #3140] 2022-02-10 11:44:42 +01:00			- The ``keep-order-response`` option has been declared obsolete and the
Hyperlink program names to their manual pages Use the new role :iscman: to replace all occurences or ``binary`` with :iscman:`binary`, creating a hyperlink to the manual page. Generated using: find bin -name .rst \| xargs fgrep --files-with-matches '.. iscman' \| xargs -I{} -n1 basename {} .rst > /tmp/progs for PROG in $(cat /tmp/progs); do find -name '.rst' \| xargs sed -i -e "s/\`\`$PROG\`\`/:iscman:\`$PROG\`/g"; done Additional hand-edits were done mainly around filter-aaaa and filter-a which are program names and and option names at the same time. Couple more edits was neede to fix .rst syntax broken by automatic replacement. 2022-03-03 22:17:04 +01:00			functionality has been removed. :iscman:`named` expects DNS clients to be
Add CHANGES and release note for [GL #3140] 2022-02-10 11:44:42 +01:00			fully compliant with :rfc:`7766`. :gl:`#3140`

Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00			`Feature Changes`
			`~~~~~~~~~~~~~~~`

Remove release notes applying to BIND 9.18.x 2022-04-11 10:05:50 +02:00			`- None.`
Add CHANGES and release note for [GL #3249] 2022-04-01 14:51:42 +02:00
Prepare release notes for BIND 9.17.23 2022-01-20 11:20:03 +01:00			`Bug Fixes`
			`~~~~~~~~~`

Remove release notes applying to BIND 9.18.x 2022-04-11 10:05:50 +02:00			`- None.`