how often, in minutes, to check the key repository
for updates when using automatic key maintenance.
Default is every 60 minutes (formerly hard-coded
to 12 hours). [RT #23744]
3101. [bug] Zones using automatic key maintenance could fail
to check the key repository for updates. [RT #23744]
support for addzone/delzone feature (see change
#2930). Removed "new-zone-file" option, replaced
with "allow-new-zones (yes|no)". The new-zone-file
for each view is now created automatically, with
a filename generated from a hash of the view name.
It is no longer necessary to "include" the
new-zone-file in named.conf; this happens
automatically. Zones that were not added via
"rndc addzone" can no longer be removed with
"rndc delzone". [RT #19447]
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.
named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)
named.conf: check-dup-records {ignore|warn|fail};
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
- add ddns-confgen command to generate
configuration text for named.conf
- add zone option "ddns-autoconf yes;", which
causes named to generate a TSIG session key
and allow updates to the zone using that key
- add '-l' (localhost) option to nsupdate, which
causes nsupdate to connect to a locally-running
named process using the session key generated
by named
[RT #19284]
"dnssec-lookaside auto;" This is the equivalent
of "dnssec-lookaside . trust-anchor dlv.isc.org;"
plus setting a trusted-key for dlv.isc.org.
Note: The trusted key is hard-coded into named,
but is also stored in (and can be overridden
by) $sysconfdir/bind.keys. As the ISC DLV key
rolls over it can be kept up to date by replacing
the bind.keys file with a key downloaded from
https://www.isc.org/solutions/dlv. [RT #18685]
