mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 10:10:06 +00:00
move 9.10.0 to HISTORY
This commit is contained in:
Mark Andrews
parent
d3600bb89d
commit
889a2f078e
131
HISTORY
131
HISTORY
@ -1,5 +1,136 @@
|
||||
Summary of functional enhancements from prior major releases of BIND 9:
|
||||
|
||||
BIND 9.10.0
|
||||
|
||||
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
|
||||
releases. New features include:
|
||||
|
||||
- DNS Response-rate limiting (DNS RRL), which blunts the
|
||||
impact of reflection and amplification attacks, is always
|
||||
compiled in and no longer requires a compile-time option
|
||||
to enable it.
|
||||
- An experimental "Source Identity Token" (SIT) EDNS option
|
||||
is now available. Similar to DNS Cookies as invented by
|
||||
Donald Eastlake 3rd, these are designed to enable clients
|
||||
to detect off-path spoofed responses, and to enable servers
|
||||
to detect spoofed-source queries. Servers can be configured
|
||||
to send smaller responses to clients that have not identified
|
||||
themselves using a SIT option, reducing the effectiveness of
|
||||
amplification attacks. RRL processing has also been updated;
|
||||
clients proven to be legitimate via SIT are not subject to
|
||||
rate limiting. Use "configure --enable-sit" to enable this
|
||||
feature in BIND.
|
||||
- A new zone file format, "map", stores zone data in a
|
||||
format that can be mapped directly into memory, allowing
|
||||
significantly faster zone loading.
|
||||
- "delv" (domain entity lookup and validation) is a new tool
|
||||
with dig-like semantics for looking up DNS data and performing
|
||||
internal DNSSEC validation. This allows easy validation in
|
||||
environments where the resolver may not be trustworthy, and
|
||||
assists with troubleshooting of DNSSEC problems. (NOTE:
|
||||
In previous development releases of BIND 9.10, this utility
|
||||
was called "delve". The spelling has been changed to avoid
|
||||
confusion with the "delve" utility included with the Xapian
|
||||
search engine.)
|
||||
- Improved EDNS(0) processing for better resolver performance
|
||||
and reliability over slow or lossy connections.
|
||||
- A new "configure --with-tuning=large" option tunes certain
|
||||
compiled-in constants and default settings to values better
|
||||
suited to large servers with abundant memory. This can
|
||||
improve performance on such servers, but will consume more
|
||||
memory and may degrade performance on smaller systems.
|
||||
- Substantial improvement in response-policy zone (RPZ)
|
||||
performance. Up to 32 response-policy zones can be
|
||||
configured with minimal performance loss.
|
||||
- To improve recursive resolver performance, cache records
|
||||
which are still being requested by clients can now be
|
||||
automatically refreshed from the authoritative server
|
||||
before they expire, reducing or eliminating the time
|
||||
window in which no answer is available in the cache.
|
||||
- New "rpz-client-ip" triggers and drop policies allowing
|
||||
response policies based on the IP address of the client.
|
||||
- ACLs can now be specified based on geographic location
|
||||
using the MaxMind GeoIP databases. Use "configure
|
||||
--with-geoip" to enable.
|
||||
- Zone data can now be shared between views, allowing
|
||||
multiple views to serve the same zones authoritatively
|
||||
without storing multiple copies in memory.
|
||||
- New XML schema (version 3) for the statistics channel
|
||||
includes many new statistics and uses a flattened XML tree
|
||||
for faster parsing. The older schema is now deprecated.
|
||||
- A new stylesheet, based on the Google Charts API, displays
|
||||
XML statistics in charts and graphs on javascript-enabled
|
||||
browsers.
|
||||
- The statistics channel can now provide data in JSON
|
||||
format as well as XML.
|
||||
- New stats counters track TCP and UDP queries received
|
||||
per zone, and EDNS options received in total.
|
||||
- The internal and export versions of the BIND libraries
|
||||
(libisc, libdns, etc) have been unified so that external
|
||||
library clients can use the same libraries as BIND itself.
|
||||
- A new compile-time option, "configure --enable-native-pkcs11",
|
||||
allows BIND 9 cryptography functions to use the PKCS#11 API
|
||||
natively, so that BIND can drive a cryptographic hardware
|
||||
service module (HSM) directly instead of using a modified
|
||||
OpenSSL as an intermediary. (Note: This feature requires an
|
||||
HSM to have a full implementation of the PKCS#11 API; many
|
||||
current HSMs only have partial implementations. The new
|
||||
"pkcs11-tokens" command can be used to check API completeness.
|
||||
Native PKCS#11 is known to work with the Thales nShield HSM
|
||||
and with SoftHSM version 2 from the Open DNSSEC project.)
|
||||
- The new "max-zone-ttl" option enforces maximum TTLs for
|
||||
zones. This can simplify the process of rolling DNSSEC keys
|
||||
by guaranteeing that cached signatures will have expired
|
||||
within the specified amount of time.
|
||||
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
|
||||
querying.
|
||||
- "dig +expire" sends an EDNS EXPIRE option when querying.
|
||||
When this option is sent with an SOA query to a server
|
||||
that supports it, it will report the expiry time of
|
||||
a slave zone.
|
||||
- New "dnssec-coverage" tool to check DNSSEC key coverage
|
||||
for a zone and report if a lapse in signing coverage has
|
||||
been inadvertently scheduled.
|
||||
- Signing algorithm flexibility and other improvements
|
||||
for the "rndc" control channel.
|
||||
- "named-checkzone" and "named-compilezone" can now read
|
||||
journal files, allowing them to process dynamic zones.
|
||||
- Multiple DLZ databases can now be configured. Individual
|
||||
zones can be configured to be served from a specific DLZ
|
||||
database. DLZ databases now serve zones of type "master"
|
||||
and "redirect".
|
||||
- "rndc zonestatus" reports information about a specified zone.
|
||||
- "named" now listens on IPv6 as well as IPv4 interfaces
|
||||
by default.
|
||||
- "named" now preserves the capitalization of names
|
||||
when responding to queries: for instance, a query for
|
||||
"example.com" may be answered with "example.COM" if the
|
||||
name was configured that way in the zone file. Some
|
||||
clients have a bug causing them to depend on the older
|
||||
behavior, in which the case of the answer always matched
|
||||
the case of the query, rather than the case of the name
|
||||
configured in the DNS. Such clients can now be specified
|
||||
in the new "no-case-compress" ACL; this will restore the
|
||||
older behavior of "named" for those clients only.
|
||||
- new "dnssec-importkey" command allows the use of offline
|
||||
DNSSEC keys with automatic DNSKEY management.
|
||||
- New "named-rrchecker" tool to verify the syntactic
|
||||
correctness of individual resource records.
|
||||
- When re-signing a zone, the new "dnssec-signzone -Q" option
|
||||
drops signatures from keys that are still published but are
|
||||
no longer active.
|
||||
- "named-checkconf -px" will print the contents of configuration
|
||||
files with the shared secrets obscured, making it easier to
|
||||
share configuration (e.g. when submitting a bug report)
|
||||
without revealing private information.
|
||||
- "rndc scan" causes named to re-scan network interfaces for
|
||||
changes in local addresses.
|
||||
- On operating systems with support for routing sockets,
|
||||
network interfaces are re-scanned automatically whenever
|
||||
they change.
|
||||
- "tsig-keygen" is now available as an alternate command
|
||||
name to use for "ddns-confgen".
|
||||
|
||||
BIND 9.9.0
|
||||
|
||||
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
|
||||
|
||||
131
README
131
README
@ -183,137 +183,6 @@ BIND 9.11.0
|
||||
CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
|
||||
CVE-2016-1286 and CVE-2016-2088.
|
||||
|
||||
BIND 9.10.0
|
||||
|
||||
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
|
||||
releases. New features include:
|
||||
|
||||
- DNS Response-rate limiting (DNS RRL), which blunts the
|
||||
impact of reflection and amplification attacks, is always
|
||||
compiled in and no longer requires a compile-time option
|
||||
to enable it.
|
||||
- An experimental "Source Identity Token" (SIT) EDNS option
|
||||
is now available. Similar to DNS Cookies as invented by
|
||||
Donald Eastlake 3rd, these are designed to enable clients
|
||||
to detect off-path spoofed responses, and to enable servers
|
||||
to detect spoofed-source queries. Servers can be configured
|
||||
to send smaller responses to clients that have not identified
|
||||
themselves using a SIT option, reducing the effectiveness of
|
||||
amplification attacks. RRL processing has also been updated;
|
||||
clients proven to be legitimate via SIT are not subject to
|
||||
rate limiting. Use "configure --enable-sit" to enable this
|
||||
feature in BIND.
|
||||
- A new zone file format, "map", stores zone data in a
|
||||
format that can be mapped directly into memory, allowing
|
||||
significantly faster zone loading.
|
||||
- "delv" (domain entity lookup and validation) is a new tool
|
||||
with dig-like semantics for looking up DNS data and performing
|
||||
internal DNSSEC validation. This allows easy validation in
|
||||
environments where the resolver may not be trustworthy, and
|
||||
assists with troubleshooting of DNSSEC problems. (NOTE:
|
||||
In previous development releases of BIND 9.10, this utility
|
||||
was called "delve". The spelling has been changed to avoid
|
||||
confusion with the "delve" utility included with the Xapian
|
||||
search engine.)
|
||||
- Improved EDNS(0) processing for better resolver performance
|
||||
and reliability over slow or lossy connections.
|
||||
- A new "configure --with-tuning=large" option tunes certain
|
||||
compiled-in constants and default settings to values better
|
||||
suited to large servers with abundant memory. This can
|
||||
improve performance on such servers, but will consume more
|
||||
memory and may degrade performance on smaller systems.
|
||||
- Substantial improvement in response-policy zone (RPZ)
|
||||
performance. Up to 32 response-policy zones can be
|
||||
configured with minimal performance loss.
|
||||
- To improve recursive resolver performance, cache records
|
||||
which are still being requested by clients can now be
|
||||
automatically refreshed from the authoritative server
|
||||
before they expire, reducing or eliminating the time
|
||||
window in which no answer is available in the cache.
|
||||
- New "rpz-client-ip" triggers and drop policies allowing
|
||||
response policies based on the IP address of the client.
|
||||
- ACLs can now be specified based on geographic location
|
||||
using the MaxMind GeoIP databases. Use "configure
|
||||
--with-geoip" to enable.
|
||||
- Zone data can now be shared between views, allowing
|
||||
multiple views to serve the same zones authoritatively
|
||||
without storing multiple copies in memory.
|
||||
- New XML schema (version 3) for the statistics channel
|
||||
includes many new statistics and uses a flattened XML tree
|
||||
for faster parsing. The older schema is now deprecated.
|
||||
- A new stylesheet, based on the Google Charts API, displays
|
||||
XML statistics in charts and graphs on javascript-enabled
|
||||
browsers.
|
||||
- The statistics channel can now provide data in JSON
|
||||
format as well as XML.
|
||||
- New stats counters track TCP and UDP queries received
|
||||
per zone, and EDNS options received in total.
|
||||
- The internal and export versions of the BIND libraries
|
||||
(libisc, libdns, etc) have been unified so that external
|
||||
library clients can use the same libraries as BIND itself.
|
||||
- A new compile-time option, "configure --enable-native-pkcs11",
|
||||
allows BIND 9 cryptography functions to use the PKCS#11 API
|
||||
natively, so that BIND can drive a cryptographic hardware
|
||||
service module (HSM) directly instead of using a modified
|
||||
OpenSSL as an intermediary. (Note: This feature requires an
|
||||
HSM to have a full implementation of the PKCS#11 API; many
|
||||
current HSMs only have partial implementations. The new
|
||||
"pkcs11-tokens" command can be used to check API completeness.
|
||||
Native PKCS#11 is known to work with the Thales nShield HSM
|
||||
and with SoftHSM version 2 from the Open DNSSEC project.)
|
||||
- The new "max-zone-ttl" option enforces maximum TTLs for
|
||||
zones. This can simplify the process of rolling DNSSEC keys
|
||||
by guaranteeing that cached signatures will have expired
|
||||
within the specified amount of time.
|
||||
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
|
||||
querying.
|
||||
- "dig +expire" sends an EDNS EXPIRE option when querying.
|
||||
When this option is sent with an SOA query to a server
|
||||
that supports it, it will report the expiry time of
|
||||
a slave zone.
|
||||
- New "dnssec-coverage" tool to check DNSSEC key coverage
|
||||
for a zone and report if a lapse in signing coverage has
|
||||
been inadvertently scheduled.
|
||||
- Signing algorithm flexibility and other improvements
|
||||
for the "rndc" control channel.
|
||||
- "named-checkzone" and "named-compilezone" can now read
|
||||
journal files, allowing them to process dynamic zones.
|
||||
- Multiple DLZ databases can now be configured. Individual
|
||||
zones can be configured to be served from a specific DLZ
|
||||
database. DLZ databases now serve zones of type "master"
|
||||
and "redirect".
|
||||
- "rndc zonestatus" reports information about a specified zone.
|
||||
- "named" now listens on IPv6 as well as IPv4 interfaces
|
||||
by default.
|
||||
- "named" now preserves the capitalization of names
|
||||
when responding to queries: for instance, a query for
|
||||
"example.com" may be answered with "example.COM" if the
|
||||
name was configured that way in the zone file. Some
|
||||
clients have a bug causing them to depend on the older
|
||||
behavior, in which the case of the answer always matched
|
||||
the case of the query, rather than the case of the name
|
||||
configured in the DNS. Such clients can now be specified
|
||||
in the new "no-case-compress" ACL; this will restore the
|
||||
older behavior of "named" for those clients only.
|
||||
- new "dnssec-importkey" command allows the use of offline
|
||||
DNSSEC keys with automatic DNSKEY management.
|
||||
- New "named-rrchecker" tool to verify the syntactic
|
||||
correctness of individual resource records.
|
||||
- When re-signing a zone, the new "dnssec-signzone -Q" option
|
||||
drops signatures from keys that are still published but are
|
||||
no longer active.
|
||||
- "named-checkconf -px" will print the contents of configuration
|
||||
files with the shared secrets obscured, making it easier to
|
||||
share configuration (e.g. when submitting a bug report)
|
||||
without revealing private information.
|
||||
- "rndc scan" causes named to re-scan network interfaces for
|
||||
changes in local addresses.
|
||||
- On operating systems with support for routing sockets,
|
||||
network interfaces are re-scanned automatically whenever
|
||||
they change.
|
||||
- "tsig-keygen" is now available as an alternate command
|
||||
name to use for "ddns-confgen".
|
||||
|
||||
Building
|
||||
|
||||
BIND 9 currently requires a UNIX system with an ANSI C compiler,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user