2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Commit Graph

2743 Commits

Author SHA1 Message Date
Tinderbox User
a53e03205a regen master 2017-10-25 01:08:58 +00:00
Evan Hunt
21761bfe79 [master] deprecate HMAC in dnssec-keygen, MD5 in rndc-confgen
4785.	[func]		The hmac-md5 algorithm is no longer recommended for
			use with RNDC keys. For compatibility reasons, it
			it is still the default algorithm in rndc-confgen,
			but this will be changed to hmac-sha256 in a future
			release. [RT #42272]

4784.	[func]		The use of dnssec-keygen to generate HMAC keys is
			deprecated in favor of tsig-keygen.  dnssec-keygen
			will print a warning when used for this purpose.
			All HMAC algorithms will be removed from
			dnssec-keygen in a future release. [RT #42272]
2017-10-24 15:35:13 -07:00
Evan Hunt
b1042e011c [master] zone "file" option was undocumented 2017-10-23 19:39:56 -07:00
Tinderbox User
2e662cf514 regen master 2017-10-22 01:10:28 +00:00
Evan Hunt
321b8429f5 [master] doc nit: Base64 is capitalized and not hyphenated 2017-10-21 13:28:38 -07:00
Tinderbox User
0fc861dea9 regen master 2017-10-21 01:13:05 +00:00
Mark Andrews
807ad469fe use correct tag
(cherry picked from commit 317330c25a)
2017-10-20 19:06:28 +11:00
Tinderbox User
2115e319ba regen master 2017-10-20 01:09:53 +00:00
Mark Andrews
d8442c1a15 s/made/may/ 2017-10-20 10:29:24 +11:00
Mark Andrews
9e5439a6d8 note removal of <isc/util.h> from other header files 2017-10-20 10:25:45 +11:00
Tinderbox User
b7b8e298f6 regen master 2017-10-19 01:09:18 +00:00
Evan Hunt
d99d5249b7 [master] clarify releates notes about deprecated/ineffective options 2017-10-18 12:41:25 -07:00
Tinderbox User
208abf3fc7 regen master 2017-10-18 01:10:52 +00:00
Evan Hunt
30419509dd [master] README and relnote fixes 2017-10-17 13:47:33 -07:00
Tinderbox User
94d96121b9 regen master 2017-10-17 01:08:55 +00:00
Evan Hunt
31275c3f39 [master] fixes to release notes
- some typos
- call out removed features in a "Removed Features" section
- mention TAT logging
2017-10-16 17:46:12 -07:00
Evan Hunt
d63943f063 [master] fixes to release notes
- fixed some typos
- call out feature removals in a "Removed Features" section
- TAT logging
2017-10-16 17:45:08 -07:00
Tinderbox User
4b1eb6a502 regenerate 2017-10-12 18:28:32 +00:00
Tinderbox User
29d9488d16 regen master 2017-10-12 18:23:36 +00:00
Evan Hunt
3abcd7cd8a [master] Revert "[master] tag initializing keys so they can't be used for normal validation"
This reverts commit 560d8b833e.

This change created a potential race between key refresh queries and
root zone priming queries which could leave the root name servers in
the bad-server cache.
2017-10-12 10:53:35 -07:00
Tinderbox User
2bd2487f51 regenerate 2017-10-12 04:21:52 +00:00
Tinderbox User
cac4114e9d regen master 2017-10-12 04:19:20 +00:00
Evan Hunt
560d8b833e [master] tag initializing keys so they can't be used for normal validation
4773.	[bug]		Keys specified in "managed-keys" statements
			can now only be used when validating key refresh
			queries during initialization of RFC 5011 key
			maintenance. If initialization fails, DNSSEC
			validation of normal queries will also fail.
			Previously, validation of normal queries could
			succeed using the initializing key, potentially
			masking problems with managed-keys. [RT #46077]
2017-10-11 21:01:13 -07:00
Tinderbox User
77c7d1c555 regen master 2017-10-12 01:08:20 +00:00
Evan Hunt
16d6fab2e5 [master] make writable directory and managed-keys directory mandatory
4769.   [bug]           The working directory and managed-keys directory has
                        to be writeable (and seekable). [RT #46077]
2017-10-11 08:21:23 +02:00
Tinderbox User
005bdf067b regen master 2017-10-10 01:08:02 +00:00
Evan Hunt
bd08d94f8b [master] add dnssec-cds man page to ARM 2017-10-09 10:58:27 -07:00
Evan Hunt
c89f1bf1b6 [master] turn off memory fill by default
4768.	[func]		By default, memory is no longer filled with tag values
			when it is allocated or freed; this improves
			performance but makes debugging of certain memory
			issues more difficult. "named -M fill" turns memory
			filling back on. (Building "configure
			--enable-developer", turns memory fill on by
			default again; it can then be disabled with
			"named -M nofill".) [RT #45123]
2017-10-09 09:55:37 -07:00
Tinderbox User
8c3ee6e6a5 regen master 2017-10-09 01:08:14 +00:00
Evan Hunt
cd20cbc9c0 [master] add DOA to ARM 2017-10-07 19:34:13 -07:00
Tinderbox User
0f91b4097f regen master 2017-10-07 01:09:38 +00:00
Evan Hunt
995c41e8f0 [master] further restrict update-policy local
4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]
2017-10-06 15:43:31 -07:00
Mark Andrews
b41c1aacbc 4759. [func] Add logging channel "trust-anchor-telementry" to
record trust-anchor-telementry in incoming requests.
                        Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
                        are logged.  [RT #46124]
2017-10-06 13:01:14 +11:00
Evan Hunt
99e0079380 [master] fix topology doc
4758.	[doc]		Remove documentation of unimplemented "topology".
			[RT #46161]
2017-10-05 18:49:33 -07:00
Tinderbox User
26cde05da4 regen master 2017-10-06 01:08:15 +00:00
Evan Hunt
ba37674d03 [master] dnssec-cds
4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]
2017-10-05 01:04:18 -07:00
Evan Hunt
c370305901 [master] 4754. [bug] dns_zone_setview needs a two stage commit to properly
handle errors. [RT #45841]
2017-10-04 23:44:15 -07:00
Evan Hunt
abaa9755d2 [master] fix tag 2017-10-04 18:43:35 -07:00
Evan Hunt
d227e15567 [master] remove spurious control character 2017-10-03 19:41:44 -07:00
Tinderbox User
ca0ae70046 update copyright notice / whitespace 2017-10-03 23:45:48 +00:00
Evan Hunt
e515fae2ae [master] dnssec-signzone can now add sync records
4751.	[func]		"dnssec-signzone -S" can now automatically add parent
			synchronization records (CDS and CDNSKEY) according
			to key metadata set using the -Psync and -Dsync
			options to dnssec-keygen and dnssec-settime.
			[RT #46149]
2017-10-03 01:11:36 -07:00
Evan Hunt
762dc8b871 [master] rndc managed-keys destroy
4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
			maintenance and deletes the managed-keys database.
			If followed by "rndc reconfig" or a server restart,
			key maintenance is reinitialized from scratch.
			This is primarily intended for testing. [RT #32456]
2017-10-03 01:05:46 -07:00
Evan Hunt
f29359299a [master] de-DLV
4749.	[func]		The ISC DLV service has been shut down, and all
			DLV records have been removed from dlv.isc.org.
			- Removed references to ISC DLV in documentation
			- Removed DLV key from bind.keys
			- No longer use ISC DLV by default in delv
			[RT #46155]
2017-10-03 00:41:57 -07:00
Tinderbox User
7cb14b610e regen master 2017-10-03 01:07:20 +00:00
Mark Andrews
c85b467dc0 4747. [func] Synthesis of responses from DNSSEC-verified records.
Stage 3 - synthesize NODATA responses. [RT #40138]
2017-10-03 11:16:37 +11:00
Tinderbox User
5fbc5c9225 regen master 2017-09-29 01:08:37 +00:00
Evan Hunt
24172bd2ee [master] completed and corrected the crypto-random change
4724.	[func]		By default, BIND now uses the random number
			functions provided by the crypto library (i.e.,
			OpenSSL or a PKCS#11 provider) as a source of
			randomness rather than /dev/random.  This is
			suitable for virtual machine environments
			which have limited entropy pools and lack
			hardware random number generators.

			This can be overridden by specifying another
			entropy source via the "random-device" option
			in named.conf, or via the -r command line option;
			however, for functions requiring full cryptographic
			strength, such as DNSSEC key generation, this
			cannot be overridden. In particular, the -r
			command line option no longer has any effect on
			dnssec-keygen.

			This can be disabled by building with
			"configure --disable-crypto-rand".
			[RT #31459] [RT #46047]
2017-09-28 10:09:22 -07:00
Mark Andrews
e00fdad191 4742. [func] Synthesis of responses from DNSSEC-verified records.
Stage 2 - synthesis of records from wildcard data.
                        If the dns64 or filter-aaaa* is configured then the
                        involved lookups are currently excluded. [RT #40138]
2017-09-28 15:16:26 +10:00
Tinderbox User
81c9fdd472 regen master 2017-09-22 01:07:54 +00:00
Tinderbox User
8200eb4c60 update copyright notice / whitespace 2017-09-21 23:47:11 +00:00