experimental SIT option of BIND 9.10. The following
named.conf directives are avaliable: send-cookie,
cookie-secret, cookie-algorithm and nocookie-udp-size.
The following dig options are available:
+[no]cookie[=value] and +[no]badcookie. [RT #39928]
4040. [func] Added server-side support for pipelined TCP
queries. TCP connections are no longer closed after
the first query received from a client. (The new
"keep-response-order" option allows clients to be
specified for which the old behavior will still be
used.) [RT #37821]
3983. [bug] Change #3940 was incomplete: negative trust anchors
could be set to last up to a week, but the
"nta-lifetime" and "nta-recheck" options were
still limted to one day. [RT #37522]
3882. [func] By default, negative trust anchors will be tested
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146]
hint zones and reject them. [RT #35268]
Squashed commit of the following:
commit 5b0254711d6b77940d6217b9131b9d401df8a866
Author: Mukund Sivaraman <muks@isc.org>
Date: Fri Mar 28 02:09:01 2014 +0530
Remove redundant helper function
commit a4341c1a2ba830c8cee1def57a533f987f67c3dc
Author: Mark Andrews <marka@isc.org>
Date: Thu Jan 30 10:08:17 2014 +1100
error out if masterfile-format raw is specified for a hint zone.
3746. [func] New "max-zone-ttl" option enforces maximum
TTLs for zones. If loading a zone containing a
higher TTL, the load fails. DDNS updates with
higher TTLs are accepted but the TTL is truncated.
(Note: Currently supported for master zones only;
inline-signing slaves will be added.) [RT #38405]
3736. [bug] nsupdate: When specifying a server by name,
fall back to alternate addresses if the first
address for that name is not reachable. [RT #25784]
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
3535. [func] Add support for setting Differentiated Services Code
Point (DSCP) values in named. Most configuration
options which take a "port" option (e.g.,
listen-on, forwarders, also-notify, masters,
notify-source, etc) can now also take a "dscp"
option specifying a code point for use with
outgoing traffic, if supported by the underlying
OS. [RT #27596]
3432. [func] Multiple DLZ databases can now be configured.
DLZ databases are searched in the order configured,
unless set to "search no", in which case a
zone can be configured to be retrieved from a
particular DLZ database by using a "dlz <name>"
option in the zone statement. DLZ databases can
support type "master" and "redirect" zones.
[RT #27597]
