mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-27 20:49:04 +00:00
Code Issues Releases Wiki Activity
bind/doc/notes/notes-current.rst
Mark Andrews a60b54e1df Add release note for [GL #2670]
2021-05-05 23:13:55 +10:00

91 lines
3.1 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.13
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- None.
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
- Reduce the supported maximum number of iterations that can be
configured in an NSEC3 zones to 150. :gl:`#2642`
- Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
:gl:`#2445`
- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
- Zones that want to transition from secure to insecure mode without making it
bogus in the process should now first change their ``dnssec-policy`` to
``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
been removed from the zone (in a timely manner), the ``dnssec-policy`` can
be set to ``none`` (or be removed from the configuration). Setting the
``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
to be published. :gl:`#2645`
- ``inline-signing`` was incorrectly described as being inherited from the
``options`` or ``view`` levels and was incorrectly accepted at those levels
without effect. This has been corrected, ``named.conf`` files with
``inline-signing`` at those levels will no longer load with this fix applied.
:gl:`#2536`
Bug Fixes
~~~~~~~~~
- When dumping the cache to file, TTLs were being increased with
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
values if the RRset was still marked a stale but the ``max-stale-ttl`` has
passed (and is actually an RRset awaiting cleanup). Both issues have now
been fixed. :gl:`#389` :gl:`#2289`
- ``named`` would overwrite a zone file unconditionally when it recovered from
a corrupted journal. :gl:`#2623`
- After the networking manager was introduced to ``named`` to handle
incoming traffic, it was discovered that the recursive performance had been
degraded compared to the previous version (9.11). This has been now fixed by
running internal tasks inside the networking manager worker threads, so
they do not compete for resources. :gl:`#2638`
- With ``dnssec-policy``, when creating new keys also check for keyid conflicts
between the new keys too. :gl:`#2628`
- Update ZONEMD to match RFC 8976. :gl:`#2658`
- With ``dnssec-policy```, don't roll keys if the private key file is offline.
:gl:`#2596`
- Journal compaction could fail when a journal with invalid transaction
headers was not detected at startup. :gl:`#2670`
Reference in New Issue View Git Blame Copy Permalink