None

Errors reported when running rndc addzone (e.g., when a zone file cannot be loaded) have been clarified to make it easier to diagnose problems.

The serial number of a dynamically updatable zone can now be set using rndc signing -serial number zonename. This is particularly useful with inline-signing zones that have been reset. Setting the serial number to a value larger than that on the slaves will trigger an AXFR-style transfer.

When answering recursive queries, SERVFAIL responses can now be cached by the server for a limited time; subsequent queries for the same query name and type will return another SERVFAIL until the cache times out. This reduces the frequency of retries when a query is persistently failing, which can be a burden on recursive serviers. The SERVFAIL cache timeout is controlled by servfail-ttl, which defaults to 10 seconds and has an upper limit of 30.

The new rndc nta command can now be used to set a "negative trust anchor" (NTA), disabling DNSSEC validation for a specific domain; this can be used when responses from a domain are known to be failing validation due to administrative error rather than because of a spoofing attack. NTAs are strictly temporary; by default they expire after one hour, but can be configured to last up to one week. The default NTA lifetime can be changed by setting the nta-lifetime in named.conf.

The EDNS Client Subnet (ECS) option is now supported for authoritative servers; if a query contains an ECS option then ACLs containing geoip or ecs elements can match against the the address encoded in the option. This can be used to select a view for a query, so that different answers can be provided depending on the client network.

The EDNS EXPIRE option has been implemented on the client side, allowing a slave server to set the expiration timer correctly when transferring zone data from another slave server.

A new masterfile-style zone option controls the formatting of text zone files: When set to full, the zone file will dumped in single-line-per-record format.

dig +ednsopt can now be used to set arbitrary EDNS options in DNS requests.

dig +ednsflags can now be used to set yet-to-be-defined EDNS flags in DNS requests.

dig +[no]ednsnegotiation can now be used enable / disable EDNS version negotiation.

dig +header-only can now be used to send queries without a question section.

dig +ttlunits causes dig to print TTL values with time-unit suffixes: w, d, h, m, s for weeks, days, hours, minutes, and seconds.

dig +zflag can be used to set the last unassigned DNS header flag bit. This bit in normally zero.

dig +dscp=value can now be used to set the DSCP code point in outgoing query packets.

serial-update-method can now be set to date. On update, the serial number will be set to the current date in YYYYMMDDNN format.

dnssec-signzone -N date also sets the serial number to YYYYMMDDNN.

named -L filename causes named to send log messages to the specified file by default instead of to the system log.

The rate limiter configured by the serial-query-rate option no longer covers NOTIFY messages; those are now separately controlled by notify-rate and startup-notify-rate (the latter of which controls the rate of NOTIFY messages sent when the server is first started up or reconfigured).

The default number of tasks and client objects available for serving lightweight resolver queries have been increased, and are now configurable via the new lwres-tasks and lwres-clients options in named.conf. [RT #35857]

Log output to files can now be buffered by specifying buffered yes; when creating a channel.

ACLs containing geoip asnum elements were not correctly matched unless the full organization name was specified in the ACL (as in geoip asnum "AS1234 Example, Inc.";). They can now match against the AS number alone (as in geoip asnum "AS1234";).

When using native PKCS#11 cryptography (i.e., configure --enable-native-pkcs11) HSM PINs of up to 256 characters can now be used.

NXDOMAIN responses to queries of type DS are now cached separately from those for other types. This helps when using "grafted" zones of type forward, for which the parent zone does not contain a delegation, such as local top-level domains. Previously a query of type DS for such a zone could cause the zone apex to be cached as NXDOMAIN, blocking all subsequent queries. (Note: This change is only helpful when DNSSEC validation is not enabled. "Grafted" zones without a delegation in the parent are not a recommended configuration.)

Update forwarding performance has been improved by allowing a single TCP connection to be shared between multiple updates.

By default, nsupdate will now check the correctness of hostnames when adding records of type A, AAAA, MX, SOA, NS, SRV or PTR. This behavior can be disabled with check-names no.

Added support for OPENPGPKEY type.

dig, host and nslookup aborted when encountering a name which, after appending search list elements, exceeded 255 bytes. Such names are now skipped, but processing of other names will continue. [RT #36892]

The error message generated when named-checkzone or named-checkconf -z encounters a $TTL directive without a value has been clarified. [RT #37138]

Semicolon characters (;) included in TXT records were incorrectly escaped with a backslash when the record was displayed as text. This is actually only necessary when there are no quotation marks. [RT #37159]

When files opened for writing by named, such as zone journal files, were referenced more than once in named.conf, it could lead to file corruption as multiple threads wrote to the same file. This is now detected when loading named.conf and reported as an error. [RT #37172]

When checking for updates to trust anchors listed in managed-keys, named now revalidates keys based on the current set of active trust anchors, without relying on any cached record of previous validation. [RT #37506]

Large-system tuning (configure --with-tuning=large) caused problems on some platforms by setting a socket receive buffer size that was too large. This is now detected and corrected at run time. [RT #37187]