mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Merge branch 'v9_17_20-release' into 'main'
Merge 9.17.20 release branch See merge request isc-projects/bind9!5581
This commit is contained in:
commit
a814f72261
2
CHANGES
2
CHANGES
@ -9,6 +9,8 @@
|
||||
via DNS-over-HTTPS, according to the recommendations
|
||||
given in RFC 8484. [GL #2854]
|
||||
|
||||
--- 9.17.20 released ---
|
||||
|
||||
5755. [bug] The statistics channel wasn't correctly handling
|
||||
multiple HTTP requests, or pipelined or truncated
|
||||
requests. [GL #2973]
|
||||
|
@ -14,7 +14,7 @@
|
||||
#
|
||||
m4_define([bind_VERSION_MAJOR], 9)dnl
|
||||
m4_define([bind_VERSION_MINOR], 17)dnl
|
||||
m4_define([bind_VERSION_PATCH], 19)dnl
|
||||
m4_define([bind_VERSION_PATCH], 20)dnl
|
||||
m4_define([bind_VERSION_EXTRA], )dnl
|
||||
m4_define([bind_DESCRIPTION], [(Development Release)])dnl
|
||||
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
|
||||
|
@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional
|
||||
information about each release, and source code.
|
||||
|
||||
.. include:: ../notes/notes-current.rst
|
||||
.. include:: ../notes/notes-9.17.20.rst
|
||||
.. include:: ../notes/notes-9.17.19.rst
|
||||
.. include:: ../notes/notes-9.17.18.rst
|
||||
.. include:: ../notes/notes-9.17.17.rst
|
||||
|
83
doc/notes/notes-9.17.20.rst
Normal file
83
doc/notes/notes-9.17.20.rst
Normal file
@ -0,0 +1,83 @@
|
||||
..
|
||||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.17.20
|
||||
----------------------
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- New finer-grained ``update-policy`` rule types,
|
||||
``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
|
||||
These rule types restrict updates to SRV and PTR records so that their
|
||||
content can only match the machine name embedded in the Kerberos
|
||||
principal making the change. :gl:`#481`
|
||||
|
||||
- Support for OpenSSL 3.0.0 APIs was added. :gl:`#2843`
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- OpenSSL 3.0.0 deprecated support for so-called "engines." Since BIND 9
|
||||
currently uses engine_pkcs11 for PKCS#11, compiling BIND 9 against an
|
||||
OpenSSL 3.0.0 build which does not retain support for deprecated APIs
|
||||
makes it impossible to use PKCS#11 in BIND 9. A replacement for
|
||||
engine_pkcs11 which employs the new "provider" approach introduced in
|
||||
OpenSSL 3.0.0 is in the making. :gl:`#2843`
|
||||
|
||||
- Since the old socket manager API has been removed, "socketmgr"
|
||||
statistics are no longer reported by the :ref:`statistics channel
|
||||
<statschannels>`. :gl:`#2926`
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- The default for ``dnssec-dnskey-kskonly`` was changed to ``yes``. This
|
||||
means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
|
||||
the KSK by default. The additional signatures prepared using the ZSK
|
||||
when the option is set to ``no`` add to the DNS response payload
|
||||
without offering added value. :gl:`#1316`
|
||||
|
||||
- The default NSEC3 parameters for ``dnssec-policy`` were updated to no
|
||||
extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``).
|
||||
:gl:`#2956`
|
||||
|
||||
- Internal data structures maintained for each cache database are now
|
||||
grown incrementally when they need to be expanded. This helps maintain
|
||||
a steady response rate on a loaded resolver while these internal data
|
||||
structures are resized. :gl:`#2941`
|
||||
|
||||
- The output of ``rndc serve-stale status`` has been clarified. It now
|
||||
explicitly reports whether retention of stale data in the cache is
|
||||
enabled (``stale-cache-enable``), and whether returning such data in
|
||||
responses is enabled (``stale-answer-enable``). :gl:`#2742`
|
||||
|
||||
- The `UseSTD3ASCIIRules`_ flag is now set for libidn2 function calls.
|
||||
This enables additional validation rules for IDN domains and hostnames
|
||||
in ``dig``. :gl:`#1610`
|
||||
|
||||
.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Reloading a catalog zone which referenced a missing/deleted member
|
||||
zone triggered a runtime check failure, causing ``named`` to exit
|
||||
prematurely. This has been fixed. :gl:`#2308`
|
||||
|
||||
- Some lame delegations could trigger a dependency loop, in which a
|
||||
resolver fetch waited for a name server address lookup which was
|
||||
waiting for the same resolver fetch. This could cause a recursive
|
||||
lookup to hang until timing out. This situation is now detected and
|
||||
prevented. :gl:`#2927`
|
||||
|
||||
- Log files using ``timestamp``-style suffixes were not always correctly
|
||||
removed when the number of files exceeded the limit set by
|
||||
``versions``. This has been fixed. :gl:`#828`
|
@ -8,7 +8,7 @@
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.17.20
|
||||
Notes for BIND 9.17.21
|
||||
----------------------
|
||||
|
||||
Security Fixes
|
||||
@ -24,61 +24,19 @@ Known Issues
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- Implement incremental resizing of RBT hash tables to perform the rehashing
|
||||
gradually instead all-at-once to be able to grow the memory usage gradually
|
||||
while keeping steady response rate during the rehashing. :gl:`#2941`
|
||||
|
||||
- Add finer-grained ``update-policy`` rule types, ``krb5-subdomain-self-rhs``
|
||||
and ``ms-subdomain-self-rhs``, that restrict updates to SRV and PTR records
|
||||
so that their content can only match the machine name embedded in the
|
||||
Kerberos principal making the change. :gl:`#481`
|
||||
- None.
|
||||
|
||||
Removed Features
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support.
|
||||
If OpenSSL 3.0.0 has been built without support for deprecated functionality
|
||||
pkcs11 via engine_pkcs11 is no longer available. At this point in time
|
||||
there is no replacement ``provider`` for pkcs11 which is the replacement to
|
||||
the ``engine API``. :gl:`#2843`
|
||||
- None.
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- Because the old socket manager API has been removed, "socketmgr"
|
||||
statistics are no longer reported by the
|
||||
:ref:`statistics channel <statschannels>`. :gl:`#2926`
|
||||
|
||||
- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
|
||||
validation rules for domains and hostnames within dig. :gl:`#1610`
|
||||
|
||||
.. _UseSTD3ASCIIRules: http://www.unicode.org/reports/tr46/#UseSTD3ASCIIRules
|
||||
|
||||
- The default for ``dnssec-dnskey-kskonly`` is changed to ``yes``. This means
|
||||
that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with the KSK by
|
||||
default. The additional signatures from the ZSK that are added if the option
|
||||
is set to ``no`` add to the DNS response payload without offering added value.
|
||||
:gl:`#1316`
|
||||
|
||||
- The output of ``rndc serve-stale status`` has been clarified. It now
|
||||
explicitly reports whether retention of stale data in the cache is enabled
|
||||
(``stale-cache-enable``), and whether returning of such data in responses is
|
||||
enabled (``stale-answer-enable``). :gl:`#2742`
|
||||
|
||||
- The default for ``dnssec-policy``'s ``nsec3param`` is changed to use
|
||||
no extra iterations and no salt. :gl:`#2956`.
|
||||
- None.
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Reloading a catalog zone that referenced a missing/deleted zone
|
||||
caused a crash. This has been fixed. :gl:`#2308`
|
||||
|
||||
- Logfiles using ``timestamp``-style suffixes were not always correctly
|
||||
removed when the number of files exceeded the limit set by ``versions``.
|
||||
:gl:`#828`
|
||||
|
||||
- Some lame delegations could trigger a dependency loop, in which a
|
||||
resolver fetch was waiting for a name server address lookup which was
|
||||
waiting for the same resolver fetch. This could cause a recursive lookup
|
||||
to hang until timing out. This now detected and avoided. :gl:`#2927`
|
||||
- None.
|
||||
|
Loading…
x
Reference in New Issue
Block a user