mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-27 12:38:24 +00:00
Code Issues Releases Wiki Activity
bind/doc/notes/notes-current.rst
Michał Kępień ced6c9b23a Tweak and reword release notes
2021-05-20 12:03:47 +02:00

114 lines
4.3 KiB
ReStructuredText
Raw Blame History

..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.13
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- New configuration options, ``tcp-receive-buffer``, ``tcp-send-buffer``,
``udp-receive-buffer``, and ``udp-send-buffer``, have been added. These
options allows the operator to fine tune the receiving and sending
buffers in the operating system. On busy servers, increasing the value
of the receive buffers can prevent the server from dropping the packets
during short spikes, and decreasing the value would prevent the server to
became clogged up with queries that are too old and have already timeouted
on the receiving side. :gl:`#2313`
Removed Features
~~~~~~~~~~~~~~~~
- None.
Feature Changes
~~~~~~~~~~~~~~~
- The ``draft-vandijk-dnsop-nsec-ttl`` IETF draft was implemented:
NSEC(3) TTL values are now set to the minimum of the SOA MINIMUM value
or the SOA TTL. :gl:`#2347`
- The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. :gl:`#2642`
- DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. :gl:`#2445`
- Zones that want to transition from secure to insecure mode without
becoming bogus in the process must now have their ``dnssec-policy``
changed first to ``insecure``, rather than ``none``. After the DNSSEC
records have been removed from the zone, the ``dnssec-policy`` can be
set to ``none`` or removed from the configuration. Setting the
``dnssec-policy`` to ``insecure`` causes CDS and CDNSKEY DELETE
records to be published. :gl:`#2645`
- ``inline-signing`` was incorrectly described as being inherited from
the ``options``/``view`` levels and was incorrectly accepted at those
levels without effect. This has been fixed; ``named.conf`` files with
``inline-signing`` at those levels no longer load. :gl:`#2536`
Bug Fixes
~~~~~~~~~
- Fix a race condition in reading and writing key files for KASP zones in
multiple views. :gl:`#1875`
- TTL values in cache dumps were reported incorrectly when
``stale-cache-enable`` was set to ``yes``. This has been fixed.
:gl:`#389` :gl:`#2289`
- If zone journal files written by BIND 9.16.11 or earlier were present
when BIND was upgraded to BIND 9.17.11 or BIND 9.17.12, the zone file
for that zone could have been inadvertently rewritten with the current
zone contents. This caused the original zone file structure (e.g.
comments, ``$INCLUDE`` directives) to be lost, although the zone data
itself was preserved. :gl:`#2623`
- After the network manager was introduced to ``named`` to handle
incoming traffic, it was discovered that recursive performance had
degraded compared to previous BIND 9 versions. This has now been
fixed by processing internal tasks inside network manager worker
threads, preventing resource contention among two sets of threads.
:gl:`#2638`
- When generating zone signing keys, KASP now also checks for key ID
conflicts among newly created keys, rather than just between new and
existing ones. :gl:`#2628`
- The implementation of the ZONEMD RR type has been updated to match
:rfc:`8976`. :gl:`#2658`
- If ``dnssec-policy`` was active and the private key file was
temporarily offline during a rekey event, ``named`` could introduce
replacement keys and break a signed zone. This has been fixed.
:gl:`#2596`
- It was possible for corrupt journal files generated by an earlier
version of ``named`` to cause problems after an upgrade. This has been
fixed. :gl:`#2670`
- ``named`` and ``named-checkconf`` did not report an error when
multiple zones with the ``dnssec-policy`` option set were using the
same zone file. This has been fixed. :gl:`#2603`
- Check ``key-directory`` conflicts in ``named.conf`` for zones in multiple
views with different ``dnssec-policy``. Using the same ``key-directory`` for
such zones is not allowed. :gl:`#2463`
Reference in New Issue View Git Blame Copy Permalink