From 075f03d37f83496e18a74c74e8fa8b23971226a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 5 Nov 2021 08:04:15 +0100 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-current.rst | 83 ++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c0eaa80ec7..073d40ddd5 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,61 +24,70 @@ Known Issues New Features ~~~~~~~~~~~~ -- Implement incremental resizing of RBT hash tables to perform the rehashing - gradually instead all-at-once to be able to grow the memory usage gradually - while keeping steady response rate during the rehashing. :gl:`#2941` +- Internal data structures maintained for each cache database are now + grown incrementally when they need to be expanded. This helps maintain + a steady response rate on a loaded resolver while these internal data + structures are resized. :gl:`#2941` -- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs`` - and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records - so that their content can only match the machine name embedded in the - Kerberos principal making the change. :gl:`#481` +- New finer-grained ``update-policy`` rule types, + ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added. + These rule types restrict updates to SRV and PTR records so that their + content can only match the machine name embedded in the Kerberos + principal making the change. :gl:`#481` + +- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843` Removed Features ~~~~~~~~~~~~~~~~ -- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support. - If OpenSSL 3.0.0 has been built without support for deprecated functionality - pkcs11 via engine_pkcs11 is no longer available. At this point in time - there is no replacement ``provider`` for pkcs11 which is the replacement to - the ``engine API``. :gl:`#2843` +- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9 + currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an + OpenSSL 3.0.0 build which does not retain support for deprecated APIs + makes it impossible to use PKCS#11 in BIND 9. A replacement for + engine_pkcs11 which employs the new "provider" approach introduced in + OpenSSL 3.0.0 is in the making. :gl:`#2843` Feature Changes ~~~~~~~~~~~~~~~ -- Because the old socket manager API has been removed, "socketmgr" - statistics are no longer reported by the - :ref:`statistics channel `. :gl:`#2926` +- Since the old socket manager API has been removed, "socketmgr" + statistics are no longer reported by the :ref:`statistics channel + `. :gl:`#2926` -- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional - validation rules for domains and hostnames within dig. :gl:`#1610` +- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls. + This enables additional validation rules for IDN domains and hostnames + in ``dig``. :gl:`#1610` -.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules - -- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means - that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by - default. The additional signatures from the ZSK that are added if the option - is set to ``no`` add to the DNS response payload without offering added value. - :gl:`#1316` +- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This + means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with + the KSK by default. The additional signatures prepared using the ZSK + when the option is set to ``no`` add to the DNS response payload + without offering added value. :gl:`#1316` - The output of ``rndc serve-stale status`` has been clarified. It now - explicitly reports whether retention of stale data in the cache is enabled - (``stale-cache-enable``), and whether returning of such data in responses is - enabled (``stale-answer-enable``). :gl:`#2742` + explicitly reports whether retention of stale data in the cache is + enabled (``stale-cache-enable``), and whether returning such data in + responses is enabled (``stale-answer-enable``). :gl:`#2742` -- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use - no extra iterations and no salt. :gl:`#2956`. +- The default NSEC3 parameters for ``dnssec-policy`` were updated to no + extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). + :gl:`#2956` + +.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules Bug Fixes ~~~~~~~~~ -- Reloading a catalog zone that referenced a missing/deleted zone - caused a crash. This has been fixed. :gl:`#2308` +- Reloading a catalog zone which referenced a missing/deleted member + zone triggered a runtime check failure, causing ``named`` to exit + prematurely. This has been fixed. :gl:`#2308` -- Logfiles using ``timestamp``-style suffixes were not always correctly - removed when the number of files exceeded the limit set by ``versions``. - :gl:`#828` +- Log files using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by + ``versions``. This has been fixed. :gl:`#828` - Some lame delegations could trigger a dependency loop, in which a - resolver fetch was waiting for a name server address lookup which was - waiting for the same resolver fetch. This could cause a recursive lookup - to hang until timing out. This now detected and avoided. :gl:`#2927` + resolver fetch waited for a name server address lookup which was + waiting for the same resolver fetch. This could cause a recursive + lookup to hang until timing out. This situation is now detected and + prevented. :gl:`#2927`