diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index db94ea44fa..f94aaf3650 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -9,7 +9,7 @@ .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. -Notes for BIND 9.19.22 +Notes for BIND 9.19.23 ---------------------- Security Fixes @@ -20,82 +20,22 @@ Security Fixes New Features ~~~~~~~~~~~~ -- The ``tls`` block was extended with a new ``cipher-suites`` option - that allows setting allowed cipher suites for TLSv1.3. Please - consult the documentation for additional details. - :gl:`#3504` - -- The statistics channel now includes counters that indicate the number - of currently connected TCP IPv4/IPv6 clients. :gl:`#4425` - -- The statistics channel's incoming zone transfers information now also shows - the zones' "first refresh" flag, which indicates that a zone is not fully - ready yet, and its first ever refresh is pending or is in-progress. The number - of such zones is now also exposed by the ``rndc status`` command. :gl:`#4241` - -- Add HSM support to :any:`dnssec-policy`. You can now configure keys with a - ``key-store`` that allows you to set the directory to store the key files and - set a PKCS#11 URI string. The latter requires OpenSSL 3 and a valid PKCS#11 - provider to be configured for OpenSSL. :gl`#1129`. +- None. Removed Features ~~~~~~~~~~~~~~~~ -- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` values, - when the feature is turned on. When using a non-zero value, ``named`` now - generates a warning log message, and treats the value as ``0``. :gl:`#4447` +- None. Feature Changes ~~~~~~~~~~~~~~~ -- The ``dnssec-validation yes`` option now requires an explicitly configured - :any:`trust-anchors` statement. If using manual trust anchors is not - operationally required, then please consider using ``dnssec-validation auto`` - instead. :gl:`#4373` - -- The red-black tree data structure used in the RBTDB (the default - database implementation for cache and zone databases), - has been replaced with QP-tries. This is expected to improve - performance and scalability, though in the current implementation - it is known to have larger memory consumption. - - A side effect of this change is that zone files that are created with - :any:`masterfile-style` ``relative`` - for example, the output of - :any:`dnssec-signzone` - will no longer have multiple different - `$ORIGIN` statements. There should be no other changes to server - behavior. - - The old RBT-based database still exists for now, and can be used by - specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, - or by compiling with ``configure --with-zonedb=rbt --with-cachedb=rbt``. - :gl:`#4411`. +- None. Bug Fixes ~~~~~~~~~ -- Changes to ``listen-on`` statements were ignored on reconfiguration - unless the port or interface address was changed, making it - impossible to change a related listener transport type. That issue - has been fixed. - - ISC would like to thank Thomas Amgarten for bringing this issue to - our attention. :gl:`#4518`, :gl:`#4528` - -- A use-after-free assertion might get triggered when the overmem cache - cleaning triggers. :gl:`#4595` - - ISC would like to thank to Jinmei Tatuya from Infoblox for bringing - this issue to our attention. - -- A regression in cache-cleaning code enabled memory use to grow - significantly more quickly than before, until the configured - :any:`max-cache-size` limit was reached. This has been fixed. - :gl:`#4596` - -- Using :option:`rndc flush` inadvertently caused cache cleaning to - become less effective. This could ultimately lead to the configured - :any:`max-cache-size` limit being exceeded and has now been fixed. - :gl:`#4621` +- None. Known Issues ~~~~~~~~~~~~