Merge branch 'michal/prepare-documentation-for-bind-9.17.19' into 'security-main'

Prepare documentation for BIND 9.17.19 See merge request isc-private/bind9!325
2025-08-30 14:07:59 +00:00 · 2021-10-11 13:26:44 +00:00
parent b3e5134728 08a2f4c0b7
commit a330d6f76f
7 changed files with 209 additions and 226 deletions
--- a/.gitlab/issue_templates/Release.md
+++ b/.gitlab/issue_templates/Release.md
@@ -76,10 +76,9 @@
 - [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
 - [ ] ***(Support)*** Update tickets in case of waiting support customers.
 - [ ] ***(QA)*** Build and test any outstanding private packages.
- - [ ] ***(QA)*** Build RPMs, update Cloudsmith repos
+ - [ ] ***(QA)*** Build public RPMs.
- - [ ] ***(Ondrej/Sweng) *** Build/update Ubuntu launchpad
+ - [ ] ***(SwEng) *** Build Debian/Ubuntu packages.
- - [ ] ***(Ondrej/Sweng) *** Build/update Debian images
+ - [ ] ***(SwEng) *** Update Docker images.
 - [ ] ***(Ondrej/Sweng) *** Build/update Docker files
 - [ ] ***(QA)*** Inform Marketing of the release.
 - [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
 - [ ] ***(Marketing)*** Post short note to Twitter.
--- a/137
+++ b/137
@@ -78,103 +78,100 @@
 			functions operating on result codes, and makes result
 			codes more debugger-friendly. [GL #719]
-5734.	[bug]		Fix "dig" aborting with error in some cases
+5734.	[bug]		Fix intermittent assertion failures in dig which were
-			like when doing zone transfers. [GL #2884]
+			triggered during zone transfers. [GL #2884]
-5733.	[func]		Require "dot" ALPN token to be negotiated for
+5733.	[func]		Require the "dot" Application-Layer Protocol Negotiation
-			zone transfers over TLS (XoT), as required by RFC9103.
+			(ALPN) token to be selected in the TLS handshake for
-			[GL #2794]
+			zone transfers over TLS (XoT), as required by RFC 9103
 			section 7.1. [GL #2794]
-5732.	[cleanup]	Remove dns_lib_init() and _shutdown() and
+5732.	[cleanup]	Remove the dns_lib_init(), dns_lib_shutdown(),
-			ns_lib_init() and _shutdown() functions, as they
+			ns_lib_init(), and ns_lib_shutdown() functions, as they
 			no longer served any useful purpose. [GL #88]
-5731.	[bug]		Do not allow defining "http" clauses named
+5731.	[bug]		Disallow defining "http" configuration clauses called
-			"default". [GL #2925]
+			"default" as they were silently ignored. [GL #2925]
-5730.	[func]		The resolver and the request and dispatch managers
+5730.	[func]		The resolver and the request and dispatch managers have
-			have been substantially refactored, and are now
+			been substantially refactored, and are now based on the
-			based on the network manager instead of the old
+			network manager instead of the old isc_socket API. All
-			isc_socket API. All outgoing DNS queries and
+			outgoing DNS queries and requests now use the new API;
-			requests now use the new API; isc_socket is only
+			isc_socket is only used to monitor for network interface
-			used to monitor for network interface changes.
+			changes. [GL #2401]
 			[GL #2401]
-5729.	[func]		Allow finer control over the TLS protocol by
+5729.	[func]		Allow finer control over TLS protocol configuration by
-			implementing more options within "tls" clauses, namely:
+			implementing new options for "tls" configuration clauses
-			- Diffie-Hellman parameters via
+			("dhparam-file", "ciphers", "prefer-server-ciphers",
-			  'dhparam-file "<path_to_file>";'
+			"session-tickets"). These options make achieving perfect
-			- OpenSSL cipher list string via
+			forward secrecy (PFS) possible for DNS-over-TLS (DoT)
-			  'ciphers "<cipher_list>";'
+			and DNS-over-HTTPS (DoH). [GL #2796]
 			- Server or client ciphers preference via
 			  'prefer-server-ciphers yes|no;'
 			- Ability to explicitly enable or disable stateless
 			  TLS session tickets via 'session-tickets yes|no;'
 			The options are enough to implement perfect forward
 			secrecy in DNS-over-TLS, DNS-over-HTTPS transports.
 			Most of these options were no-op before this
 			change. [GL #2796]
-5728.	[func]		Allow specifying supported TLS protocol
+5728.	[func]		Allow specifying supported TLS protocol versions for
-			versions within "tls" clauses
+			each "tls" configuration clause. [GL #2795]
 			(e.g. protocols { TLSv1.2; TLSv1.3; };). [GL #2795]
-5727.	[bug]		Ignore the missing zones when doing a reload on a
+5727.	[bug]		Fix an assertion failure caused by missing member zones
-			catalog zone, and make sure to restore them later on.
+			during a reload of a catalog zone. [GL #2308]
 			[GL #2308]
-5726.	[bug]		Fix heap use after free when cheking for "http"
+5726.	[bug]		Fix a use-after-free bug which was triggered while
-			clauses duplicates. [GL #2924]
+			checking for duplicate "http" configuration clauses.
 			[GL #2924]
-5725.	[bug]		Validate HTTP path passed to dig. [GL #2923]
+5725.	[bug]		Fix an assertion failure triggered by passing an invalid
 			HTTP path to dig. [GL #2923]
-5724.	[bug]		Address potential dead lock when checking zone
+5724.	[bug]		Address a potential deadlock when checking zone content
-			content consistency. [GL #2908]
+			consistency. [GL #2908]
-5723.	[bug]		Backwards compatiblity for 'check-names master' and
+5723.	[bug]		Change 5709 broke backward compatibility for the
-			'check-names slave' was accidentally broken. [GL #2911]
+			"check-names master ..." and "check-names slave ..."
 			options. This has been fixed. [GL #2911]
-5722.	[bug]		Preserve the contents of TCPDNS and TLSDNS receive
+5722.	[bug]		Preserve the contents of the receive buffer for TCPDNS
-			buffer when growing the buffer size. [GL #2917]
+			and TLSDNS when growing its size. [GL #2917]
-5721.	[func]		New isc_mem_reget() realloc-like function was
+5721.	[func]		A new realloc()-like function, isc_mem_reget(), was
-			introduced into the libisc API, and zero-sized
+			added to the libisc API for resizing memory chunks
-			allocations now return non-NULL pointers. [GL !5440]
+			allocated using isc_mem_get(). Memory (re)allocation
 			functions are now guaranteed to return non-NULL pointers
 			for zero-sized allocation requests. [GL !5440]
-5720.	[contrib]	Remove old-style DLZ drivers that had to be enabled
+5720.	[contrib]	Remove old-style DLZ drivers that had to be enabled at
-			during compile time. [GL #2814]
+			build time. [GL #2814]
-5719.	[func]		The "masterfile-format" format "map" has been removed.
+5719.	[func]		Remove support for the "map" zone file format.
 			[GL #2882]
-5718.	[bug]		Changing the sig signing type, by specifing
+5718.	[bug]		The "sig-signing-type" zone configuration option was
-			sig-signing-type, failed as the configuration was
+			processed incorrectly, causing valid configurations to
-			incorrectly rejected. [GL #2906]
+			be rejected. This has been fixed. [GL #2906]
-5717.	[func]		The "cache-file" option, which was documented as
+5717.	[func]		The "cache-file" option, which was documented as "for
-			for testing purposes only and not to be used,
+			testing purposes only" and not to be used, has been
-			has been removed. [GL #2903]
+			removed. [GL #2903]
 5716.	[placeholder]
-5715.	[func]		Add a check when the *-source(-v6) clashes with the
+5715.	[func]		Add a check for ports specified in "*-source(-v6)"
-			global listening port. Such a configuration was already
+			options clashing with a global listening port. Such a
-			forbidden, but it failed silently. [GL #2888]
+			configuration was already unsupported, but it failed
 			silently; it is now treated as an error. [GL #2888]
-5714.	[bug]		Remove the "adjust interface" mechanism that
+5714.	[bug]		Remove the "adjust interface" mechanism which was
-			set up a listener on interfaces where the *-source(-v6)
+			responsible for setting up listeners on interfaces when
-			address and port were the same as the listening
+			the "*-source(-v6)" address and port were the same as
-			address and port. Such a configuration is no longer
+			the "listen-on(-v6)" address and port. Such a
-			supported; in practice, this would disable
+			configuration is no longer supported; under certain
-			listening on TCP ports under certain timing conditions.
+			timing conditions, that mechanism could prevent named
 			from listening on some TCP ports. This has been fixed.
 			[GL #2852]
-5713.	[func]		Added "primaries" as a synonym for "masters" and
+5713.	[func]		Add "primaries" as a synonym for "masters" and
 			"default-primaries" as a synonym for "default-masters"
-			for catalog zones configuration options. [GL #2818]
+			in catalog zone configuration options. [GL #2818]
-5712.	[func]		Remove native PKCS#11 support in favor of OpenSSL
+5712.	[func]		Remove native PKCS#11 support in favor of engine_pkcs11
-			engine_pkcs11 from the OpenSC project. [GL #2691]
+			from the OpenSC project. [GL #2691]
 	--- 9.17.18 released ---
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -51,7 +51,7 @@ The latest versions of BIND 9 software can always be found at
 https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.19.rst
 .. include:: ../notes/notes-9.17.18.rst
 .. include:: ../notes/notes-9.17.17.rst
 .. include:: ../notes/notes-9.17.16.rst
--- a/doc/arm/pkcs11.rst
+++ b/doc/arm/pkcs11.rst
@@ -22,10 +22,13 @@ library which provides a low-level PKCS#11 interface to drive the HSM
 hardware. The PKCS#11 provider library comes from the HSM vendor, and it
 is specific to the HSM to be controlled.
-BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project.  The engine is
+BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL
-dynamically loaded into OpenSSL and the HSM is operated indirectly; any
+engine which is part of the `OpenSC`_ project. The engine is dynamically
-cryptographic operations not supported by the HSM can be carried out by OpenSSL
+loaded into OpenSSL and the HSM is operated indirectly; any
-instead.
+cryptographic operations not supported by the HSM can be carried out by
 OpenSSL instead.
 .. _OpenSC: https://github.com/OpenSC/libp11
 Prerequisites
 ~~~~~~~~~~~~~
@@ -93,22 +96,26 @@ going to copy the global OpenSSL configuration (often found in
 ``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
 ::
   cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
 and export the environment variable:
 ::
   export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
 Now add following line at the top of file, before any sections (in square
 brackets) are defined:
 ::
   openssl_conf = openssl_init
 And add following lines at the bottom of the file:
 ::
   [openssl_init]
   engines=engine_section
@@ -153,31 +160,37 @@ name of the PKCS#11 object (called label when generating the keys using
 Convert the KSK:
 ::
   dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
 and ZSK:
 ::
   dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net
 NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
 ::
   (umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt)
 and then use in the label specification:
 ::
   pin-source=/opt/bind9/etc/pin.txt
 Confirm that you have one KSK and one ZSK present in the current directory:
 ::
   ls -l K*
 The output should look like this (the second number will be different):
 ::
   Kexample.net.+008+31729.key
   Kexample.net.+008+31729.private
   Kexample.net.+008+42231.key
@@ -196,6 +209,7 @@ The zone signing commences as usual, with only one small difference.  We need to
 provide the name of the OpenSSL engine using the -E command line option.
 ::
   dnssec-signzone -E pkcs11 -S -o example.net example.net
 Running ``named`` With Automatic Zone Re-signing
@@ -205,11 +219,13 @@ The zone can also be signed automatically by named. Again, we need to provide
 the name of the OpenSSL engine using the -E command line option.
 ::
   named -E pkcs11 -c named.conf
 and the logs should have lines like:
 ::
   Fetching example.net/RSASHA256/31729 (KSK) from key repository.
   DNSKEY example.net/RSASHA256/31729 (KSK) is now published
   DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4818,6 +4818,7 @@ A Diffie-Hellman parameters file can be generated using e.g. OpenSSL,
 like follows:
 ::
   openssl dhparam -out /path/to/dhparam.pem <3072_or_4096>
 Ensure that it gets generated on a machine with enough entropy from
@@ -6654,6 +6655,7 @@ be converted to ``text`` format by the ``named-compilezone`` command,
 then converted back after editing.  For example:
 ::
    named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
    [edit zonefile.text]
    named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text
--- a/doc/notes/notes-9.17.19.rst
+++ b/doc/notes/notes-9.17.19.rst
@@ -0,0 +1,116 @@
 .. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
 Notes for BIND 9.17.19
 ----------------------
 Security Fixes
 ~~~~~~~~~~~~~~
 - The ``lame-ttl`` option controls how long ``named`` caches certain
  types of broken responses from authoritative servers (see the
  `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
  details). This caching mechanism could be abused by an attacker to
  significantly degrade resolver performance. The vulnerability has been
  mitigated by changing the default value of ``lame-ttl`` to ``0`` and
  overriding any explicitly set value with ``0``, effectively disabling
  this mechanism altogether. ISC's testing has determined that doing
  that has a negligible impact on resolver performance while also
  preventing abuse. Administrators may observe more traffic towards
  servers issuing certain types of broken responses than in previous
  BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
  ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
  bringing this vulnerability to our attention. :gl:`#2899`
 New Features
 ~~~~~~~~~~~~
 - It is now possible to specify the TLS protocol versions to support for
  each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2;
  TLSv1.3; };``). :gl:`#2795`
 - New options for ``tls`` configuration clauses were implemented,
  namely:
  - ``dhparam-file "<path_to_file>";`` for specifying Diffie-Hellman
    parameters,
  - ``ciphers "<cipher_list>";`` for specifying OpenSSL ciphers to use,
  - ``prefer-server-ciphers <yes|no>;`` for specifying whether server
    ciphers or client ciphers should be preferred (this controls
    OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option),
  - ``session-tickets <yes|no>;`` for enabling/disabling stateless TLS
    session tickets (see :rfc:`5077`).
  These options allow finer control over TLS protocol configuration and
  make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS
  (DoT) and DNS-over-HTTPS (DoH). :gl:`#2796`
 Removed Features
 ~~~~~~~~~~~~~~~~
 - Native PKCS#11 support has been removed; BIND 9 now :ref:`uses
  engine_pkcs11 for PKCS#11<pkcs11>`. engine_pkcs11 is an OpenSSL engine
  which is part of the `OpenSC`_ project. :gl:`#2691`
 - Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
  enabled in ``named`` at build time have been removed. New-style DLZ
  modules should be used as a replacement. :gl:`#2814`
 - Support for the ``map`` zone file format (``masterfile-format map;``)
  has been removed. Users relying on the ``map`` format are advised to
  convert their zones to the ``raw`` format with ``named-compilezone``
  and change the configuration appropriately prior to upgrading BIND 9.
  :gl:`#2882`
 .. _OpenSC: https://github.com/OpenSC/libp11
 Feature Changes
 ~~~~~~~~~~~~~~~
 - The network manager API is now used for sending all outgoing DNS
  queries and requests from ``named`` and related tools, including
  ``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401`
 - ``named`` and ``named-checkconf`` now exit with an error when a single
  port configured for ``query-source``, ``transfer-source``,
  ``notify-source``, ``parental-source``, and/or their respective IPv6
  counterparts clashes with a global listening port. This configuration
  has not been supported since BIND 9.16.0, but no error was reported
  until now (even though sending UDP messages such as NOTIFY failed).
  :gl:`#2888`
 - ``named`` and ``named-checkconf`` now issue a warning when there is a
  single port configured for ``query-source``, ``transfer-source``,
  ``notify-source``, ``parental-source``, and/or for their respective
  IPv6 counterparts. :gl:`#2888`
 - Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer
  Protocol Negotiation (ALPN) token to be selected in the TLS handshake,
  as required by :rfc:`9103` section 7.1. :gl:`#2794`
 Bug Fixes
 ~~~~~~~~~
 - A recent change introduced in BIND 9.17.18 inadvertently broke
  backward compatibility for the ``check-names master ...`` and
  ``check-names slave ...`` options, causing them to be silently
  ignored. This has been fixed and these options now work properly
  again. :gl:`#2911`
 - When new IP addresses were set up by the operating system during
  ``named`` startup, it could fail to listen for TCP connections on the
  newly added interfaces. :gl:`#2852`
 - Under specific circumstances, zone transfers over TCP and TLS could be
  interrupted prematurely. This has been fixed. :gl:`#2917`
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -1,147 +0,0 @@
 .. 
   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
   This Source Code Form is subject to the terms of the Mozilla Public
   License, v. 2.0. If a copy of the MPL was not distributed with this
   file, you can obtain one at https://mozilla.org/MPL/2.0/.
   See the COPYRIGHT file distributed with this work for additional
   information regarding copyright ownership.
 Notes for BIND 9.17.18
 ----------------------
 Security Fixes
 ~~~~~~~~~~~~~~
 - The ``lame-ttl`` option controls how long ``named`` caches certain
  types of broken responses from authoritative servers (see the
  `security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
  details). This caching mechanism could be abused by an attacker to
  significantly degrade resolver performance. The vulnerability has been
  mitigated by changing the default value of ``lame-ttl`` to ``0`` and
  overriding any explicitly set value with ``0``, effectively disabling
  this mechanism altogether. ISC's testing has determined that doing
  that has a negligible impact on resolver performance while also
  preventing abuse. Administrators may observe more traffic towards
  servers issuing certain types of broken responses than in previous
  BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
  ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
  bringing this vulnerability to our attention. :gl:`#2899`
 Known Issues
 ~~~~~~~~~~~~
 - None.
 New Features
 ~~~~~~~~~~~~
 - Ability to specify supported TLS protocol versions within ``tls``
  clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795`
 - New options within ``tls`` clauses were implemented, namely:
  - ``dhparam-file "<path_to_file>";`` to specify Diffie-Hellman parameters;
  - ``ciphers "<cipher_list>";`` to specify OpenSSL ciphers list;
  - ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference;
  - ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077).
  These options allow finer control over TLS protocol features and make it
  possible to achieve perfect forward secrecy for DNS-over-TLS and
  DNS-over-HTTPS. :gl:`#2796`
 - Implement incremental resizing of RBT hash tables to perform the rehashing
  gradually instead all-at-once to be able to grow the memory usage gradually
  while keeping steady response rate during the rehashing. :gl:`#2941`
 - Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs``
  and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records
  so that their content can only match the machine name embedded in the
  Kerberos principal making the change. :gl:`#481`
 Removed Features
 ~~~~~~~~~~~~~~~~
 - Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the
  OpenSC project. :gl:`#2691`
 - Add support for OpenSSL 3.0.0.  OpenSSL 3.0.0 deprecated 'engine' support.
  If OpenSSL 3.0.0 has been built without support for deprecated functionality
  pkcs11 via engine_pkcs11 is no longer available.  At this point in time
  there is no replacement ``provider`` for pkcs11 which is the replacement to
  the ``engine API``. :gl:`#2843`
 - The ``masterfile-format`` format ``map`` has removed.  If you are using the
  ``map`` format, you are advised to convert the zones to ``raw`` format with
  ``named-compilezone`` and change the configuration prior to BIND 9
  upgrade. :gl:`#2882`
 - Remove old-style DLZ drivers that had to be enabled in ``named`` during the
  compile time.  The new-style dynamically loaded DLZ modules should be used
  as a replacement. :gl:`#2814`
 Feature Changes
 ~~~~~~~~~~~~~~~
 - ``named`` and ``named-checkconf`` now issue a warning when there is a single
  configured port in the ``query-source``, ``transfer-source``,
  ``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts.
  :gl:`#2888`
 - ``named`` and ``named-checkconf`` now return an error when the single configured
  port in the ``query-source``, ``transfer-source``, ``notify-source``,
  ``parental-source``, and/or their respective IPv6 counterparts clashes with the
  global listening port. This configuration is no longer supported as of BIND
  9.16.0 but no error was reported, although sending UDP messages
  (such as notifies) would fail. :gl:`#2888`
 - The network manager API is now used by ``named`` and related tools,
  including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS
  queries and requests. :gl:`#2401`
 - Because the old socket manager API has been removed, "socketmgr"
  statistics are no longer reported by the statistics channel. :gl:`#2926`
 - Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol
  Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794`
 - `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
  validation rules for domains and hostnames within dig.  :gl:`#1610`
 .. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
 - The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means
  that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by
  default. The additional signatures from the ZSK that are added if the option
  is set to ``no`` add to the DNS response payload without offering added value.
  :gl:`#1316`
 - The output of ``rndc serve-stale status`` has been clarified. It now
  explicitly reports whether retention of stale data in the cache is enabled
  (``stale-cache-enable``), and whether returning of such data in responses is 
  enabled (``stale-answer-enable``). :gl:`#2742`
 - The default for ``dnssec-policy``'s ``nsec3param`` is changed to use
  no extra iterations and no salt. :gl:`#2956`.
 Bug Fixes
 ~~~~~~~~~
 - When new IP addresses were added to the system during ``named``
  startup, ``named`` failed to listen on TCP for the newly added
  interfaces. :gl:`#2852`
 - Under specific circumstances, zone transfers over TCP and TLS could be
  interrupted prematurely. This has been fixed. :gl:`#2917`
 - Reloading a catalog zone that referenced a missing/deleted zone
  caused a crash. This has been fixed. :gl:`#2308`
 - Logfiles using ``timestamp``-style suffixes were not always correctly
  removed when the number of files exceeded the limit set by ``versions``.
  :gl:`#828`
 - Some lame delegations could trigger a dependency loop, in which a
  resolver fetch was waiting for a name server address lookup which was
  waiting for the same resolver fetch. This could cause a recursive lookup
  to hang until timing out. This now detected and avoided. :gl:`#2927`