From 2a3088e18d247adaf7e29f5f587953b789c561bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 11 Apr 2022 10:05:50 +0200 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-current.rst | 44 +++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index cfcee820a5..3372502c16 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -20,39 +20,41 @@ Security Fixes Known Issues ~~~~~~~~~~~~ -- According to RFC 8310, Section 8.1, the Subject field MUST NOT be - inspected when verifying a remote certificate while establishing a - DNS-over-TLS connection. Only SubjectAltName must be checked +- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT + be inspected when verifying a remote certificate while establishing a + DNS-over-TLS connection. Only ``subjectAltName`` must be checked instead. Unfortunately, some quite old versions of cryptographic - libraries might lack the functionality to ignore the Subject - field. It should have minimal production use consequences, as most - of the production-ready certificates issued by certificate - authorities will have SubjectAltNames set. In such a case, the - Subject field is ignored. Only old platforms are affected by this, - e.g., those supplied with OpenSSL versions older than 1.1.1. + libraries might lack the ability to ignore the ``Subject`` field. This + should have minimal production-use consequences, as most of the + production-ready certificates issued by certificate authorities will + have ``subjectAltName`` set. In such cases, the ``Subject`` field is + ignored. Only old platforms are affected by this, e.g. those supplied + with OpenSSL versions older than 1.1.1. :gl:`#3163` New Features ~~~~~~~~~~~~ -- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a ``-J`` option to - specify a journal file to read when loading the zone to be verified or - signed. :gl:`#2486` +- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a + ``-J`` option to specify a journal file to read when loading the zone + to be verified or signed. :gl:`#2486` -- Add support for remote TLS certificates verification, both to BIND - and ``dig``, making it possible to implement Strict and Mutual TLS - authentication, as described in RFC 9103, Section 9.3. :gl:`#3163` +- Add support for remote TLS certificate verification, both to + :iscman:`named` and :iscman:`dig`, making it possible to implement + Strict and Mutual TLS authentication, as described in :rfc:`9103`, + Section 9.3. :gl:`#3163` -- Run RPZ updates on the specialized "offload" threads to reduce the amount - of time they block query processing on the main networking threads. This - should increase the responsiveness of ``named`` when RPZ updates are being - applied after an RPZ zone has been successfully transfered. :gl:`#3190` +- Run RPZ updates on the specialized "offload" threads to reduce the + amount of time they block query processing on the main networking + threads. This should increase the responsiveness of :iscman:`named` + when RPZ updates are being applied after an RPZ zone has been + successfully transferred. :gl:`#3190` Removed Features ~~~~~~~~~~~~~~~~ - The ``keep-order-response`` option has been declared obsolete and the - functionality has been removed. :iscman:`named` expects DNS clients to be - fully compliant with :rfc:`7766`. :gl:`#3140` + functionality has been removed. :iscman:`named` expects DNS clients to + be fully compliant with :rfc:`7766`. :gl:`#3140` Feature Changes ~~~~~~~~~~~~~~~