diff --git a/README b/README index 296d7530aa..3df129d129 100644 --- a/README +++ b/README @@ -56,12 +56,12 @@ General bug reports can be sent to bind9-bugs@isc.org. Feature requests can be sent to bind-suggest@isc.org. -Please note that, while ISC's ticketing system is not currently publicly -readable, this may change in the future. Please do not include information -in bug reports that you consider to be confidential. For example, when -sending the contents of your configuration file, it is advisable to -obscure key secrets; this can be done automatically by using -named-checkconf -px. +Please note that, while tickets submitted to ISC's ticketing system are +not initially publicly readable by default, they can be made publicly +acessible afterward. Please do not include information in bug reports that +you consider to be confidential. In particular, when sending the contents +of your configuration file, it is advisable to obscure key secrets: this +can be done automatically by using named-checkconf -px. Professional support and training for BIND are available from ISC at https://www.isc.org/support. @@ -75,8 +75,9 @@ mailman/listinfo/bind-workers. Contributing to BIND -A public git repository for BIND is maintained at http://www.isc.org/git/, -and also on Github at https://github.com/isc-projects. +ISC maintains a public git repository for BIND; details can be found at +http://www.isc.org/git/, and also on Github at https://github.com/ +isc-projects. Information for BIND contributors can be found in the following files: - General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/ @@ -103,10 +104,8 @@ include: * Cached, validated NSEC and other records can now be used to synthesize NXDOMAIN responses. * The DNS Response Policy Service API (DNSRPS) is now supported. - * Setting max-journal-size default now limits the size of journal files - to twice the size of the zone. - * The query handling code has been substantially refactored for improved - readability, maintainability and testability . + * Setting 'max-journal-size default' now limits the size of journal + files to twice the size of the zone. * dnstap-read -x prints a hex dump of the wire format of each logged DNS message. * dnstap output files can now be configured to roll automatically when @@ -115,7 +114,7 @@ include: ISO 8601 (UTC) formats. * Logging channels and dnstap output files can now be configured to use a timestamp as the suffix when rolling to a new file. - * named-checkconf -l lists zones found in named.conf. + * 'named-checkconf -l' lists zones found in named.conf. * Added support for the EDNS Padding and Keepalive options. * 'new-zones-directory' option sets the location where the configuration data for zones added by rndc addzone is stored @@ -189,10 +188,11 @@ smaller systems. For the server to support DNSSEC, you need to build it with crypto support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the OpenSSL library is installed in a nonstandard location, -specify the prefix using "--with-openssl=/prefix" on the configure command -line. To use a PKCS#11 hardware service module for cryptographic +specify the prefix using "--with-openssl=" on the configure +command line. To use a PKCS#11 hardware service module for cryptographic operations, specify the path to the PKCS#11 provider library using -"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11". +"--with-pkcs11=", and configure BIND with +"--enable-native-pkcs11". To support the HTTP statistics channel, the server must be linked with at least one of the following: libxml2 http://xmlsoft.org or json-c https:// @@ -212,13 +212,16 @@ libGeoIP. This is not turned on by default; BIND must be configured with "--with-geoip". If the library is installed in a nonstandard location, use specify the prefix using "--with-geoip=/prefix". -For DNSTAP packet logging, you must have libfstrm https://github.com/ -farsightsec/fstrm and libprotobuf-c https://developers.google.com/ -protocol-buffers, and BIND must be configured with "--enable-dnstap". +For DNSTAP packet logging, you must have installed libfstrm https:// +github.com/farsightsec/fstrm and libprotobuf-c https:// +developers.google.com/protocol-buffers, and BIND must be configured with +"--enable-dnstap". -Python requires the 'argparse' and 'ply' modules to be available. -'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is -available from https://pypi.python.org/pypi/ply. +Portions of BIND that are written in Python, including dnssec-keymgr, +dnssec-coverage, dnssec-checkds, and some of the system tests, require the +'argparse' and 'ply' modules to be available. 'argparse' is a standard +module as of Python 2.7 and Python 3.2. 'ply' is available from https:// +pypi.python.org/pypi/ply. On some platforms it is necessary to explicitly request large file support to handle files bigger than 2GB. This can be done by using @@ -250,7 +253,7 @@ Automated testing A system test suite can be run with make test. The system tests require you to configure a set of virtual IP addresses on your system (this allows multiple servers to run locally and communicate with one another). These -IP addresses can be configured by by running the script bin/tests/system/ +IP addresses can be configured by running the command bin/tests/system/ ifconfig.sh up as root. Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, diff --git a/README.md b/README.md index d6c0fc5e2e..74d9f01db6 100644 --- a/README.md +++ b/README.md @@ -66,12 +66,12 @@ General bug reports can be sent to Feature requests can be sent to [bind-suggest@isc.org](mailto:bind-suggest@isc.org). -Please note that, while ISC's ticketing system is not currently publicly -readable, this may change in the future. Please do not include information -in bug reports that you consider to be confidential. For example, when -sending the contents of your configuration file, it is advisable to obscure -key secrets; this can be done automatically by using `named-checkconf --px`. +Please note that, while tickets submitted to ISC's ticketing system +are not initially publicly readable by default, they can be made publicly +acessible afterward. Please do not include information in bug reports that +you consider to be confidential. In particular, when sending the contents of +your configuration file, it is advisable to obscure key secrets: this can +be done automatically by using `named-checkconf -px`. Professional support and training for BIND are available from ISC at [https://www.isc.org/support](https://www.isc.org/support). @@ -85,8 +85,8 @@ may also want to join the __BIND Workers__ mailing list, at ### Contributing to BIND -A public git repository for BIND is maintained at -[http://www.isc.org/git/](http://www.isc.org/git/), and also on Github +ISC maintains a public git repository for BIND; details can be found +at [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github at [https://github.com/isc-projects](https://github.com/isc-projects). Information for BIND contributors can be found in the following files: @@ -116,10 +116,8 @@ include: * Cached, validated NSEC and other records can now be used to synthesize NXDOMAIN responses. * The DNS Response Policy Service API (DNSRPS) is now supported. -* Setting `max-journal-size default` now limits the size of journal files +* Setting `'max-journal-size default'` now limits the size of journal files to twice the size of the zone. -* The query handling code has been substantially refactored for improved - readability, maintainability and testability . * `dnstap-read -x` prints a hex dump of the wire format of each logged DNS message. * `dnstap` output files can now be configured to roll automatically when @@ -128,7 +126,7 @@ include: 8601 (UTC) formats. * Logging channels and `dnstap` output files can now be configured to use a timestamp as the suffix when rolling to a new file. -* `named-checkconf -l` lists zones found in `named.conf`. +* `'named-checkconf -l'` lists zones found in `named.conf`. * Added support for the EDNS Padding and Keepalive options. * 'new-zones-directory' option sets the location where the configuration data for zones added by rndc addzone is stored @@ -195,9 +193,9 @@ performance on smaller systems. For the server to support DNSSEC, you need to build it with crypto support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the OpenSSL library is installed in a nonstandard location, specify the prefix -using "--with-openssl=/prefix" on the configure command line. To use a +using "--with-openssl=<PREFIX>" on the configure command line. To use a PKCS#11 hardware service module for cryptographic operations, specify the -path to the PKCS#11 provider library using "--with-pkcs11=/prefix", and +path to the PKCS#11 provider library using "--with-pkcs11=<PREFIX>", and configure BIND with "--enable-native-pkcs11". To support the HTTP statistics channel, the server must be linked with at @@ -220,13 +218,15 @@ libGeoIP. This is not turned on by default; BIND must be configured with "--with-geoip". If the library is installed in a nonstandard location, use specify the prefix using "--with-geoip=/prefix". -For DNSTAP packet logging, you must have libfstrm +For DNSTAP packet logging, you must have installed libfstrm [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm) and libprotobuf-c [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers), and BIND must be configured with "--enable-dnstap". -Python requires the 'argparse' and 'ply' modules to be available. +Portions of BIND that are written in Python, including +`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the +system tests, require the 'argparse' and 'ply' modules to be available. 'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply). @@ -260,7 +260,7 @@ localstatedir defaults to `$prefix/var`. A system test suite can be run with `make test`. The system tests require you to configure a set of virtual IP addresses on your system (this allows multiple servers to run locally and communicate with one another). These -IP addresses can be configured by by running the script +IP addresses can be configured by running the command `bin/tests/system/ifconfig.sh up` as root. Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 79e5d25fab..ef0557c508 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -646,6 +646,26 @@ + + + + + If key's sync publication date is set and in the past, + synchronization records (type CDS and/or CDNSKEY) are + created. + + + + + + + + If key's sync deletion date is set and in the past, + synchronization records (type CDS and/or CDNSKEY) are + removed. + + + diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 61f04c1443..d7417b98c4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -3815,17 +3815,17 @@ notrace. All debugging messages in the server have a debug print-time can be set to yes, no, or a time format specifier, which may be one of - , or - . If set to + local, iso8601 or + iso8601-utc. If set to no, then the date and time will not be logged. If set to yes - or , the date and time are logged + or local, the date and time are logged in a human readable format, using the local time zone. - If set to the local time is + If set to iso8601 the local time is logged in ISO8601 format. If set to - , then the date and time + iso8601-utc, then the date and time are logged in ISO8601 format, with time zone set to - UTC. The default is . + UTC. The default is local. print-time may @@ -4987,7 +4987,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] Specifies the directory in which to store the configuration parameters for zones added via rndc addzone. - By default, this is the working directory. + By default, this is the working directory. If set to a relative + path, it will be relative to the working directory. @@ -5710,12 +5711,14 @@ options { Specifies the TTL to be returned on stale answers. - The default is 1 second. The minimal allowed is + The default is 1 second. The minimum allowed is also 1 second; a value of 0 will be updated silently - to 1 second. For stale answers to be returned + to 1 second. For stale answers to be returned, + they must be enabled (either in the configuration file + using stale-answer-enable or via + rndc), and must be set to a - non zero value and they must not have been disabled - by rndc. + nonzero value. @@ -6448,17 +6451,21 @@ options { - serve-stale-enable + stale-answer-enable Enable the returning of stale answers when the nameservers for the zone are not answering. This - is off by default but can be enabled/disabled via - rndc server-stale on and - rndc server-stale off which - override the named.conf setting. rndc - server-stale reset will restore control - via named.conf. + is off by default, but can be enabled/disabled via + rndc serve-stale on and + rndc serve-stale off, which + override the named.conf + setting. rndc serve-stale reset + restores the setting to the one specified in + named.conf. Note that + reloading or reconfiguring named + will not re-enable serving of stale records if they + have been disabled via rndc. diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 048a5f9722..956e716949 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -50,10 +50,11 @@ anything other than the changes you made to our software. - This requirement will not affect anyone who is using BIND - without redistributing it, nor anyone redistributing it without - changes, therefore this change will be without consequence - for most individuals and organizations who are using BIND. + This requirement will not affect anyone who is using BIND, with + or without modifications, without redistributing it, nor anyone + redistributing it without changes. Therefore, this change will be + without consequence for most individuals and organizations who are + using BIND. Those unsure whether or not the license change affects their @@ -65,10 +66,10 @@ -
Windows XP No Longer Supported +
Legacy Windows No Longer Supported - As of BIND 9.11.2, Windows XP is no longer a supported platform for - BIND, and Windows XP binaries are no longer available for download + As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported + platforms for BIND; "XP" binaries are no longer available for download from ISC.
@@ -294,13 +295,14 @@ zone's validated CDS or CDNSKEY records. It can produce a dsset file suitable for input to dnssec-signzone, or a series of - nsupdate to update the parent zone via dynamic - DNS. Thanks to Tony Finch for the contribution. [RT #46090] + nsupdate commands to update the parent zone + via dynamic DNS. Thanks to Tony Finch for the contribution. + [RT #46090] - nsupdate and rndc now accepts + nsupdate and rndc now accept command line options -4 and -6 which force using only IPv4 or only IPv6, respectively. [RT #45632] @@ -481,13 +483,18 @@ these algorithms must be supported in OpenSSL; currently they are only available in the development branch of OpenSSL at - https://github.com/openssl/openssl. + + https://github.com/openssl/openssl. [RT #44696] - EDNS KEY TAG options are verified and printed. + When parsing DNS messages, EDNS KEY TAG options are checked + for correctness. When printing messages (for example, in + dig), EDNS KEY TAG options are printed + in readable format. @@ -624,15 +631,6 @@ are now fully rolled back in the event of failure. [RT #45841] - - - Fixed a bug that was introduced in an earlier development - release which caused multi-packet AXFR and IXFR messages to fail - validation if not all packets contained TSIG records; this - caused interoperability problems with some other DNS - implementations. [RT #45509] - - Multiple cookie-secret clauses are now