3760. [bug] Improve SIT with native PKCS#11 and on Windows.
[RT #35433]
3759. [port] Enable delve on Windows. [RT #35441]
3758. [port] Enable export library APIs on windows. [RT #35382]
3745. [func] "configure --with-tuning=large" adjusts various
compiled-in constants and default settings to
values suited to large servers with abundant
memory. [RT #29538]
(which are similar to DNS Cookies by Donald Eastlake)
and are designed to help clients detect off path
spoofed responses and for servers to detect legitimate
clients.
SIT use a experimental EDNS option code (65001).
SIT can be enabled via --enable-developer or
--enable-sit. It is on by default in Windows.
RRL processing as been updated to know about SIT with
legitimate clients not being rate limited. [RT #35389]
3741. [func] "delve" (domain entity lookup and validation engine):
A new tool with dig-like semantics for performing DNS
lookups, with internal DNSSEC validation, using the
same resolver and validator logic as named. This
allows easy validation of DNSSEC data in environments
with untrustworthy resolvers, and assists with
troubleshooting of DNSSEC problems. (Note: not yet
available on win32.) [RT #32406]
3733. [func] Improve interface scanning support. Interface
information will be automatically updated if the
OS supports routing sockets (MacOS, *BSD, Linux).
Use "automatic-interface-scan no;" to disable.
Add "rndc scan" to trigger a scan. [RT #23027]
information will be automatically updated if the
OS supports routing sockets. Use
"automatic-interface-scan no;" to disable.
Add "rndc scan" to trigger a scan. [RT #23027]
probing to see if it is possible to set dscp values
on a per packet basis. [RT #35252]
3716. [bug] The dns_request code was setting dcsp values when not
requested. [RT #35252]
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
