diff --git a/CHANGES b/CHANGES index 6619a41975..1f204905c2 100644 --- a/CHANGES +++ b/CHANGES @@ -64,7 +64,7 @@ to recover from them. [GL #2600] 5612. [bug] Continued refactoring of the network manager: - - allow recovery from read and connect timeout events + - allow recovery from read and connect timeout events, - ensure that calls to isc_nm_*connect() always return the connection status via a callback function. @@ -78,49 +78,58 @@ right after recursion for a client query finished. [GL #2594] -5609. [func] GSSAPI support no longer uses the ISC SPNEGO - implementation. [GL #2607] +5609. [func] The ISC implementation of SPNEGO was removed from BIND 9 + source code. It was no longer necessary as all major + contemporary Kerberos/GSSAPI libraries include support + for SPNEGO. [GL #2607] -5608. [bug] Dig now honors +retry=0 and +tries=1 when queries - are sent over TCP (+tcp) and the remote server closes - the connection prematurely. [GL #2490] +5608. [bug] When sending queries over TCP, dig now properly handles + "+tries=1 +retry=0" by not retrying the connection when + the remote server closes the connection prematurely. + [GL #2490] -5607. [bug] Rekey after 'rndc dnssec -checkds' or 'rndc dnssec - -rollover' command is received, because such a command - may influence the next key event. [GL #2488] +5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover" + commands may affect the next scheduled key event, + reconfiguration of zone keys is now triggered after + receiving either of these commands to prevent + unnecessary key rollover delays. [GL #2488] -5606. [bug] CDS/CDNSKEY DELETE records were not removed when a zone - transitioned from secure to insecure. "named-checkzone" - should not complain if such records exist in an - unsigned zone. [GL #2517] +5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone + transitions from a secure to an insecure state. + named-checkzone also no longer reports an error when + such records are found in an unsigned zone. [GL #2517] -5605. [bug] "dig -u" now uses CLOCK_REALTIME for more accurate - time reporting. [GL #2592] +5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for + more accurate time reporting. [GL #2592] 5604. [experimental] A "filter-a.so" plugin, which is similar to the "filter-aaaa.so" plugin but which omits A records instead of AAAA records, has been added. Thanks to - '@treysis' (GitLab). [GL #2585] + GitLab user @treysis. [GL #2585] 5603. [placeholder] -5602. [bug] Fix the TCPDNS and TLSDNS timers, so TCP initial - and idle timers work correctly. [GL #2573] +5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This + makes the "tcp-initial-timeout" and "tcp-idle-timeout" + options work correctly again. [GL #2583] -5601. [bug] Dynamic zones with dnssec-policy could not be thawed - because KASP zones were always considered dynamic; - previously, dynamic KASP zones did not check whether - updates were disabled. This has been fixed. [GL #2523] +5601. [bug] Zones using KASP could not be thawed after they were + frozen using "rndc freeze". This has been fixed. + [GL #2523] -5600. [bug] Load a certificate chain file so that the full chain is - sent to DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) - clients that require full chain verification. [GL #2514] +5600. [bug] Send a full certificate chain instead of just the leaf + certificate to DNS-over-TLS (DoT) and DNS-over-HTTPS + (DoH) clients. This makes BIND 9 DoT/DoH servers + compatible with a broader set of clients. [GL #2514] -5599. [bug] Fix a crash when transferring a zone over TLS, - after "named" previously skipped a master. [GL #2562] +5599. [bug] Fix a named crash which occurred after skipping a + primary server while transferring a zone over TLS. + [GL #2562] -5598. [port] Cast (char) to (unsigned char) when calling ctype - tests. [GL #2567] +5598. [port] Silence -Wchar-subscripts compiler warnings triggered on + some platforms due to calling character classification + functions declared in the header with + arguments of type char. [GL #2567] --- 9.17.11 released ---