mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity
bind/doc/notes/notes-current.rst
Michał Kępień 234ff52725 Use :rfc:<number> references in release notes
2021-02-17 22:20:24 +01:00

131 lines
5.6 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.10
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The option
defines the amount of time ``named`` waits before attempting
to answer the query with a stale RRset from cache. If a stale answer
is found, ``named`` continues the ongoing fetches, attempting to
refresh the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
The default value is ``1800`` (in milliseconds) and the maximum value is
bounded to ``resolver-query-timeout`` minus one second. A value of
``0`` immediately returns a cached RRset if available, and still
attempts a refresh of the data in cache.
The option can be disabled by setting the value to ``off`` or
``disabled``. It also has no effect if ``stale-answer-enable`` is
disabled. [GL #2247]
- Also return stale data if an error occurred and we are not resuming a
query (and serve-stale is enabled). This may happen for example if
``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this
case, we will try to answer DNS requests with stale data, but not start
the ``stale-refresh-time`` window. [GL #2434]
- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
outgoing zone transfers. Addresses in a ``primaries`` list can take
an optional ``tls`` option which specifies either a previously configured
``tls`` statement or ``ephemeral``. [GL #2392]
- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of
this, the ``nghttp2`` HTTP/2 library is now required for building the
development branch of BIND 9. Both TLS-encrypted and unencrypted
HTTP/2 connections are supported (the latter may be used to offload
encryption to other software).
Note that there is no client-side support for HTTPS as yet; this will be
added to ``dig`` in a future release. [GL #1144]
Removed Features
~~~~~~~~~~~~~~~~
- A number of non-working configuration options that had been marked
as obsolete in previous releases have now been removed completely.
Using any of the following options is now considered a configuration
failure:
``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``,
``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``,
``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``,
``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
Feature Changes
~~~~~~~~~~~~~~~
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
day, and the default value of ``stale-answer-ttl`` has been changed from 1
second to 30 seconds, following :rfc:`8767` recommendations. [GL #2248]
- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``
and ``_spf_verify`` labels (which are employed by the ``exists`` SPF
mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer
reported as warnings/errors. [GL #2377]
Bug Fixes
~~~~~~~~~
- KASP incorrectly set signature validity to the value of the DNSKEY signature
validity. This is now fixed. [GL #2383]
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key.
This has been fixed. [GL #2178]
- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and
BIND 9.16.11, preventing ``named`` from starting. [GL #2413]
- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
and/or "Delete" timing metadata as possible active keys. This has been fixed.
[GL #2406]
- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
rolled faster than the time required to finish the rollover procedure, the
successor relation equation failed because it assumed only two keys were
taking part in a rollover. This could lead to premature removal of
predecessor keys. BIND 9 now implements a recursive successor relation, as
described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
[GL #2375]
- If an invalid key name (e.g. "a..b") was specified in a ``primaries``
list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
which resulted in the returned memory being put on the wrong freed
list. This has been fixed. [GL #2460]
- If an outgoing packet would exceed max-udp-size, it would be dropped instead
of sending a proper response back. Rollback setting the IP_DONTFRAG on the
UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
[GL #2487]
Reference in New Issue View Git Blame Copy Permalink