mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity
bind/doc/arm/notes-feature-changes.xml
Evan Hunt 129fb63db6 CHANGES, README, release note
2019-11-07 12:42:14 -08:00

114 lines
4.8 KiB
XML
Raw Blame History

<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
A new asynchronous network communications system based on
<command>libuv</command> is now used by <command>named</command>
for listening for incoming requests and responding to them.
This change will make it easier to improve performance and
implement new protocol layers (for example, DNS over TLS) in
the future. [GL #29]
</para>
</listitem>
<listitem>
<para>
<command>named</command> will now log a warning if
a static key is configured for the root zone. [GL #6]
</para>
</listitem>
<listitem>
<para>
When static and managed DNSSEC keys were both configured for the
same name, or when a static key was used to
configure a trust anchor for the root zone and
<command>dnssec-validation</command> was set to the default
value of <literal>auto</literal>, automatic RFC 5011 key
rollovers would be disabled. This combination of settings was
never intended to work, but there was no check for it in the
parser. This has been corrected, and it is now a fatal
configuration error. [GL #868]
</para>
</listitem>
<listitem>
<para>
DS and CDS records are now generated with SHA-256 digests
only, instead of both SHA-1 and SHA-256. This affects the
default output of <command>dnssec-dsfromkey</command>, the
<filename>dsset</filename> files generated by
<command>dnssec-signzone</command>, the DS records added to
a zone by <command>dnssec-signzone</command> based on
<filename>keyset</filename> files, the CDS records added to
a zone by <command>named</command> and
<command>dnssec-signzone</command> based on "sync" timing
parameters in key files, and the checks performed by
<command>dnssec-checkds</command>.
</para>
</listitem>
<listitem>
<para>
JSON-C is now the only supported library for enabling JSON
support for BIND statistics. The <command>configure</command>
option has been renamed from <command>--with-libjson</command>
to <command>--with-json-c</command>. Use
<command>PKG_CONFIG_PATH</command> to specify a custom path to
the <command>json-c</command> library as the new
<command>configure</command> option does not take the library
installation path as an optional argument.
</para>
</listitem>
<listitem>
<para>
A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
made default. Old non-default HMAC-SHA based DNS Cookie algorithms
have been removed, and only the default AES algorithm is being kept
for legacy reasons. This change doesn't have any operational impact
in most common scenarios. [GL #605]
</para>
<para>
If you are running multiple DNS Servers (different versions of BIND 9
or DNS server from multiple vendors) responding from the same IP
address (anycast or load-balancing scenarios), you'll have to make
sure that all the servers are configured with the same DNS Cookie
algorithm and same Server Secret for the best performance.
</para>
</listitem>
<listitem>
<para>
The information from the <command>dnssec-signzone</command> and
<command>dnssec-verify</command> commands is now printed to standard
output. The standard error output is only used to print warnings and
errors, and in case the user requests the signed zone to be printed to
standard output with <command>-f -</command> option. A new
configuration option <command>-q</command> has been added to silence
all output on standard output except for the name of the signed zone.
</para>
</listitem>
<listitem>
<para>
DS records included in DNS referral messages can now be validated
and cached immediately, reducing the number of queries needed for
a DNSSEC validation. [GL #964]
</para>
</listitem>
<listitem>
<para>
NSEC Aggressive Cache (synth-from-dnssec) has been disabled by default
because it was found to have a significant performance impact on the
recursive service. The NSEC Aggressive Cache will be enable by default
in the future releases. [GL #1265]
</para>
</listitem>
</itemizedlist>
</section>
Reference in New Issue View Git Blame Copy Permalink