From 1a849dab19287148f12da50d890f455f02aa3622 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 14 Mar 2016 18:00:15 -0700 Subject: [PATCH] [master] add missing functional changes to README --- CHANGES | 4 +-- README | 106 +++++++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 81 insertions(+), 29 deletions(-) diff --git a/CHANGES b/CHANGES index c931887030..c67130ed3d 100644 --- a/CHANGES +++ b/CHANGES @@ -944,7 +944,7 @@ Also, the managed keys data file has easier-to-read comments. [RT #38458] -4054. [func] Added a new tool 'mdig', a light weight clone of +4054. [func] Added a new tool 'mdig', a lightweight clone of dig able to send multiple pipelined queries. [RT #38261] @@ -1204,7 +1204,7 @@ zone to be updated via "rndc signing -serial". [RT #37404] -3987. [func] Handle future Visual Studio 14 incompatible changes. +3987. [port] Handle future Visual Studio 14 incompatible changes. [RT #37380] 3986. [doc] Add the BIND version number to page footers diff --git a/README b/README index f5129473af..687c576d0a 100644 --- a/README +++ b/README @@ -56,11 +56,11 @@ BIND 9.11.0 BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier releases. New features include: - - Added support for "dnstap", a fast and flexible method of - capturing and logging DNS traffic. - - Added support for "dyndb", a new API for loading zone data - from an external database, developed by Red Hat for the FreeIPA - project. + - Added support for "dnstap", a fast and flexible method of + capturing and logging DNS traffic. + - Added support for "dyndb", a new API for loading zone data + from an external database, developed by Red Hat for the FreeIPA + project. - New "fetchlimit" quotas are now available for the use of recursive resolvers that are are under high query load for domains whose authoritative servers are nonresponsive or are @@ -74,23 +74,44 @@ BIND 9.11.0 + "fetches-per-zone" limits the number of simultaneous queries that can be sent for names within a single domain. (Note: Unlike "fetches-per-server", this value is not self-tuning.) - + New stats counters have been added to count + + New stats counters have been added to count queries spilled due to these quotas. - - The zone serial number of a dynamically updatable zone - can now be set via "rndc signing -serial ". - This allows inline-signing zones to be set to a specific - serial number. + - The experimental "SIT" feature in BIND 9.10 has been renamed + "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism + enabling clients to detect off-path spoofed responses, and + servers to detect spoofed-source queries. Clients that identify + themselves using COOKIE options are not subject to response rate + limiting (RRL) and can receive larger UDP responses. - SERVFAIL responses can now be cached for a limited time - (defaulting to 10 seconds, with an upper limit of 30). + (defaulting to 1 second, with an upper limit of 30). This can reduce the frequency of retries when a query is persistently failing. - - The new "rndc nta" command can be used to set a "negative - trust anchor", disabling DNSSEC validation for a specific - domain; this can be used when responses from a domain are - known to be failing validation due to administrative error - rather than because of a spoofing attack. Negative trust - anchors are strictly temporary; by default they expire after - one hour, but can be configured to last up to one week. + - The "controls" block in named.conf can now grand read-only + "rndc" access to specified clients or keys. Read-only clients + could, for example, check "rndc status" but could not + reconfigure or shut down the server. + - "rndc" commands can now return arbitrarily large amounts of + text to the caller. + - The zone serial number of a dynamically updatable zone + can now be set via "rndc signing -serial ". + This allows inline-signing zones to be set to a specific + serial number. + - The new "rndc nta" command can be used to set a Negative + Trust Anchor (NTA), disabling DNSSEC validation for a + specific domain; this can be used when responses from a + domain are known to be failing validation due to administrative + error rather than because of a spoofing attack. Negative + trust anchors are strictly temporary; by default they expire + after one hour, but can be configured to last up to one week. + - "rndc delzone" can now be used on zones that were not originally + created by "rndc addzone". + - "rndc modzone" reconfigures a single zone, without requiring + the entire server to be reconfigured. + - "rndc showzone" displays the current configuration of a zone. + - "rndc managed-keys" can be used to check the status of RFC 5001 + managed trust anchors, or to force trust anchors to be refreshed. + - "max-cache-size" can now be set to a percentage of available + memory. The default is 90%. - Update forwarding performance has been improved by allowing a single TCP connection to be shared by multiple updates. - The EDNS Client Subnet (ECS) option is now supported for @@ -103,24 +124,55 @@ BIND 9.11.0 side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave server. + - The key generation and manipulation tools (dnssec-keygen, + dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now + take "-Psync" and "-Dsync" options to set the publication + and deletion times of CDS and CDNSKEY parent-synchronization + records. Both named and dnssec-signzone can now publish and + remove these records at the scheduled times. - A new "masterfile-style" zone option controls the formatting of text zone files: When set to "full", a zone file is dumped in single-line-per-record format. - - "dig +ttlunits" causes dig to print TTL values with time-unit - suffixes: w, d, h, m, s for weeks, days, hours, minutes, and - seconds. - "serial-update-method" can now be set to "date". On update, the serial number will be set to the current date in YYYYMMDDNN format. - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN. - "named -L " causes named to send log messages to the specified file by default instead of to the system log. - - dig can now set arbitrary EDNS options on requests (+ednsopt). - - dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags). - - serial-query-rate no longer covers NOTIFY messages. These are - separately controlled by notify-rate and startup-notify-rate. - - nsupdate now performs check-names processing by default on records - to be added. This can be disabled with "check-names no". + - "dig +ttlunits" prints TTL values with time-unit suffixes: + w, d, h, m, s for weeks, days, hours, minutes, and seconds. + - "dig +unknownformat" prints dig output in RFC 3597 "unknown + record" presentation format. + - "dig +ednsopt" allows dig to set arbitrary EDNS options on + requests. + - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS + flags on requests. + - "mdig" is an alternate version of dig which sends multiple + pipelined TCP queries to a server. Instead of waiting for a + response after sending a query, it sends all queries + immediately and displays responses in the order received. + - "serial-query-rate" no longer controls NOTIFY messages. + These are separately controlled by "notify-rate" and + "startup-notify-rate". + - "nsupdate" now performs "check-names" processing by default + on records to be added. This can be disabled with + "check-names no". + - The statistics channel now supports DEFLATE compression, + reducing the size of the data sent over the network when + querying statistics. + - New counters have been added to the statistics channel + to track the sizes of incoming queries and outgoing responses in + histogram buckets, as specified in RSSAC002. + - An new NXDOMAIN redirect method (option "nxdomain-redirect") + has been added, allowing redirection to a specified DNS + namespace instead of a single redirect zone. + - When starting up, named now ensures that no other named + process is already running. + - Files created by named to store information, including "mkeys" + and "nzf" files, are now named after their corresponding views + unless the view name contains characters incompatible with use + as a filename. Old style filenames (based on the hash of the + view name) will still work. This release addresses the security flaws described in CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,