Tweak and reword release notes

doc/notes/notes-current.rst

@@ -24,61 +24,70 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
 
-- Implement incremental resizing of RBT hash tables to perform the rehashing
+- Internal data structures maintained for each cache database are now
-  gradually instead all-at-once to be able to grow the memory usage gradually
+  grown incrementally when they need to be expanded. This helps maintain
-  while keeping steady response rate during the rehashing. :gl:`#2941`
+  a steady response rate on a loaded resolver while these internal data
+  structures are resized. :gl:`#2941`
 
-- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs``
+- New finer-grained ``update-policy`` rule types,
-  and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records
+  ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
-  so that their content can only match the machine name embedded in the
+  These rule types restrict updates to SRV and PTR records so that their
-  Kerberos principal making the change. :gl:`#481`
+  content can only match the machine name embedded in the Kerberos
+  principal making the change. :gl:`#481`
+
+- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- Add support for OpenSSL 3.0.0.  OpenSSL 3.0.0 deprecated 'engine' support.
+- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9
-  If OpenSSL 3.0.0 has been built without support for deprecated functionality
+  currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an
-  pkcs11 via engine_pkcs11 is no longer available.  At this point in time
+  OpenSSL 3.0.0 build which does not retain support for deprecated APIs
-  there is no replacement ``provider`` for pkcs11 which is the replacement to
+  makes it impossible to use PKCS#11 in BIND 9. A replacement for
-  the ``engine API``. :gl:`#2843`
+  engine_pkcs11 which employs the new "provider" approach introduced in
+  OpenSSL 3.0.0 is in the making. :gl:`#2843`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- Because the old socket manager API has been removed, "socketmgr"
+- Since the old socket manager API has been removed, "socketmgr"
-  statistics are no longer reported by the
+  statistics are no longer reported by the :ref:`statistics channel
-  :ref:`statistics channel <statschannels>`. :gl:`#2926`
+  <statschannels>`. :gl:`#2926`
 
-- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
+- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls.
-  validation rules for domains and hostnames within dig.  :gl:`#1610`
+  This enables additional validation rules for IDN domains and hostnames
+  in ``dig``. :gl:`#1610`
 
-.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
+- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
-
+  means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
-- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means
+  the KSK by default. The additional signatures prepared using the ZSK
-  that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by
+  when the option is set to ``no`` add to the DNS response payload
-  default. The additional signatures from the ZSK that are added if the option
+  without offering added value. :gl:`#1316`
-  is set to ``no`` add to the DNS response payload without offering added value.
-  :gl:`#1316`
 
 - The output of ``rndc serve-stale status`` has been clarified. It now
-  explicitly reports whether retention of stale data in the cache is enabled
+  explicitly reports whether retention of stale data in the cache is
-  (``stale-cache-enable``), and whether returning of such data in responses is 
+  enabled (``stale-cache-enable``), and whether returning such data in
-  enabled (``stale-answer-enable``). :gl:`#2742`
+  responses is enabled (``stale-answer-enable``). :gl:`#2742`
 
-- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use
+- The default NSEC3 parameters for ``dnssec-policy`` were updated to no
-  no extra iterations and no salt. :gl:`#2956`.
+  extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``).
+  :gl:`#2956`
+
+.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
 
 Bug Fixes
 ~~~~~~~~~
 
-- Reloading a catalog zone that referenced a missing/deleted zone
+- Reloading a catalog zone which referenced a missing/deleted member
-  caused a crash. This has been fixed. :gl:`#2308`
+  zone triggered a runtime check failure, causing ``named`` to exit
+  prematurely. This has been fixed. :gl:`#2308`
 
-- Logfiles using ``timestamp``-style suffixes were not always correctly
+- Log files using ``timestamp``-style suffixes were not always correctly
-  removed when the number of files exceeded the limit set by ``versions``.
+  removed when the number of files exceeded the limit set by
-  :gl:`#828`
+  ``versions``. This has been fixed. :gl:`#828`
 
 - Some lame delegations could trigger a dependency loop, in which a
-  resolver fetch was waiting for a name server address lookup which was
+  resolver fetch waited for a name server address lookup which was
-  waiting for the same resolver fetch. This could cause a recursive lookup
+  waiting for the same resolver fetch. This could cause a recursive
-  to hang until timing out. This now detected and avoided. :gl:`#2927`
+  lookup to hang until timing out. This situation is now detected and
+  prevented. :gl:`#2927`