.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, you can obtain one at https://mozilla.org/MPL/2.0/. See the COPYRIGHT file distributed with this work for additional information regarding copyright ownership. Notes for BIND 9.17.13 ---------------------- Security Fixes ~~~~~~~~~~~~~~ - None. Known Issues ~~~~~~~~~~~~ - None. New Features ~~~~~~~~~~~~ - New configuration options, ``tcp-receive-buffer``, ``tcp-send-buffer``, ``udp-receive-buffer``, and ``udp-send-buffer``, have been added. These options allows the operator to fine tune the receiving and sending buffers in the operating system. On busy servers, increasing the value of the receive buffers can prevent the server from dropping the packets during short spikes, and decreasing the value would prevent the server to became clogged up with queries that are too old and have already timeouted on the receiving side. :gl:`#2313` Removed Features ~~~~~~~~~~~~~~~~ - None. Feature Changes ~~~~~~~~~~~~~~~ - The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented: NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value or the SOA TTL. :gl:`#2347` - The maximum supported number of NSEC3 iterations that can be configured for a zone has been reduced to 150. :gl:`#2642` - DNSSEC responses containing NSEC3 records with iteration counts greater than 150 are now treated as insecure. :gl:`#2445` - Zones that want to transition from secure to insecure mode without becoming bogus in the process must now have their ``dnssec-policy`` changed first to ``insecure``, rather than ``none``. After the DNSSEC records have been removed from the zone, the ``dnssec-policy`` can be set to ``none`` or removed from the configuration. Setting the ``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE records to be published. :gl:`#2645` - ``inline-signing`` was incorrectly described as being inherited from the ``options``/``view`` levels and was incorrectly accepted at those levels without effect. This has been fixed; ``named.conf`` files with ``inline-signing`` at those levels no longer load. :gl:`#2536` Bug Fixes ~~~~~~~~~ - Fix a race condition in reading and writing key files for KASP zones in multiple views. :gl:`#1875` - TTL values in cache dumps were reported incorrectly when ``stale-cache-enable`` was set to ``yes``. This has been fixed. :gl:`#389` :gl:`#2289` - If zone journal files written by BIND 9.16.11 or earlier were present when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file for that zone could have been inadvertently rewritten with the current zone contents. This caused the original zone file structure (e.g. comments, ``$INCLUDE`` directives) to be lost, although the zone data itself was preserved. :gl:`#2623` - After the network manager was introduced to ``named`` to handle incoming traffic, it was discovered that recursive performance had degraded compared to previous BIND 9 versions. This has now been fixed by processing internal tasks inside network manager worker threads, preventing resource contention among two sets of threads. :gl:`#2638` - When generating zone signing keys, KASP now also checks for key ID conflicts among newly created keys, rather than just between new and existing ones. :gl:`#2628` - The implementation of the ZONEMD RR type has been updated to match :rfc:`8976`. :gl:`#2658` - If ``dnssec-policy`` was active and the private key file was temporarily offline during a rekey event, ``named`` could introduce replacement keys and break a signed zone. This has been fixed. :gl:`#2596` - It was possible for corrupt journal files generated by an earlier version of ``named`` to cause problems after an upgrade. This has been fixed. :gl:`#2670` - ``named`` and ``named-checkconf`` did not report an error when multiple zones with the ``dnssec-policy`` option set were using the same zone file. This has been fixed. :gl:`#2603` - Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple views with different ``dnssec-policy``. Using the same ``key-directory`` for such zones is not allowed. :gl:`#2463`