diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index c79f5ab197..464b0a4764 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -19,6 +19,12 @@ TXTOBJS = notes.txt
PDFOBJS = Bv9ARM.pdf notes.pdf
+NOTESXML = notes-bug-fixes.xml notes-download.xml notes-eol.xml \
+ notes-feature-changes.xml notes-intro.xml notes-license.xml \
+ notes-new-features.xml notes-numbering.xml notes-platforms.xml \
+ notes-removed.xml notes-sec-fixes.xml notes-thankyou.xml \
+ notes.xml
+
doc man:: ${MANOBJS} ${TXTOBJS} ${PDFOBJS}
clean::
@@ -36,11 +42,11 @@ maintainer-clean distclean::
rm -f noteversion.xml
# use xmllint to process include
-notes.html: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
+notes.html: notes-wrapper.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand notes-wrapper.xml | ${XMLLINT} --xinclude - | \
${XSLTPROC} --stringparam generate.toc "" ../xsl/isc-notes-html.xsl - > notes.html
-notes.pdf: notes-wrapper.xml notes.xml releaseinfo.xml pkgversion.xml noteversion.xml
+notes.pdf: notes-wrapper.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl notes-wrapper.xml | \
${DBLATEX} -c notes.conf -Pdoc.layout="mainmatter" -o notes.pdf -
@@ -50,17 +56,17 @@ notes.txt: notes.html
sed -e :a -e '/^\n*$$/{$$d;N;};/\n$$/ba' > notes.txt
# use xmllint to process include
-Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM.html: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - | \
${XSLTPROC} --stringparam root.filename Bv9ARM \
${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
# use xmllint to process include
-Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM-all.html: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | ${XMLLINT} --xinclude - |\
${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
-Bv9ARM.pdf: Bv9ARM-book.xml releaseinfo.xml pkgversion.xml noteversion.xml
+Bv9ARM.pdf: Bv9ARM-book.xml ${NOTESXML} releaseinfo.xml pkgversion.xml noteversion.xml
expand Bv9ARM-book.xml | \
${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
${DBLATEX} -c Bv9ARM.conf -o Bv9ARM.pdf -
diff --git a/doc/arm/notes-bug-fixes.xml b/doc/arm/notes-bug-fixes.xml
new file mode 100644
index 0000000000..4af4cf92ee
--- /dev/null
+++ b/doc/arm/notes-bug-fixes.xml
@@ -0,0 +1,101 @@
+
+
+Bug Fixes
+
+
+
+ The allow-update and
+ allow-update-forwarding options were
+ inadvertently treated as configuration errors when used at the
+ options or view level.
+ This has now been corrected.
+ [GL #913]
+
+
+
+
+ When qname-minimization was set to
+ relaxed, some improperly configured domains
+ would fail to resolve, but would have succeeded when minimization
+ was disabled. named will now fall back to normal
+ resolution in such cases, and also uses type A rather than NS for
+ minimal queries in order to reduce the likelihood of encountering
+ the problem. [GL #1055]
+
+
+
+
+ ./configure no longer sets
+ --sysconfdir to /etc or
+ --localstatedir to /var
+ when --prefix is not specified and the
+ aforementioned options are not specified explicitly. Instead,
+ Autoconf's defaults of $prefix/etc and
+ $prefix/var are respected.
+
+
+
+
+ Glue address records were not being returned in responses
+ to root priming queries; this has been corrected. [GL #1092]
+
+
+
+
+ Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+ cause unexpected results; this has been fixed. [GL #1106]
+
+
+
+
+ named-checkconf now checks DNS64 prefixes
+ to ensure bits 64-71 are zero. [GL #1159]
+
+
+
+
+ named-checkconf now correctly reports a missing
+ dnstap-output option when
+ dnstap is set. [GL #1136]
+
+
+
+
+ Handle ETIMEDOUT error on connect() with a non-blocking
+ socket. [GL #1133]
+
+
+
+
+ Cache database statistics counters could report invalid values
+ when stale answers were enabled, because of a bug in counter
+ maintenance when cache data becomes stale. The statistics counters
+ have been corrected to report the number of RRsets for each
+ RR type that are active, stale but still potentially served,
+ or stale and marked for deletion. [GL #602]
+
+
+
+
+ dig now correctly expands the IPv6 address
+ when run with +expandaaaa +short. [GL #1152]
+
+
+
+
+ When a response-policy zone expires, ensure
+ that its policies are removed from the RPZ summary database.
+ [GL #1146]
+
+
+
+
diff --git a/doc/arm/notes-download.xml b/doc/arm/notes-download.xml
new file mode 100644
index 0000000000..f5211460d4
--- /dev/null
+++ b/doc/arm/notes-download.xml
@@ -0,0 +1,20 @@
+
+
+Download
+
+ The latest versions of BIND 9 software can always be found at
+ http://www.isc.org/downloads/.
+ There you will find additional information about each release,
+ source code, and pre-compiled versions for Microsoft Windows
+ operating systems.
+
+
diff --git a/doc/arm/notes-eol.xml b/doc/arm/notes-eol.xml
new file mode 100644
index 0000000000..ac6539c3ca
--- /dev/null
+++ b/doc/arm/notes-eol.xml
@@ -0,0 +1,26 @@
+
+
+End of Life
+
+ BIND 9.15 is an unstable development branch. When its development
+ is complete, it will be renamed to BIND 9.16, which will be a
+ stable branch.
+
+
+ The end of life date for BIND 9.16 has not yet been determined.
+ For those needing long term support, the current Extended Support
+ Version (ESV) is BIND 9.11, which will be supported until at
+ least December 2021. See
+ https://www.isc.org/downloads/software-support-policy/
+ for details of ISC's software support policy.
+
+
diff --git a/doc/arm/notes-feature-changes.xml b/doc/arm/notes-feature-changes.xml
new file mode 100644
index 0000000000..54c82ce971
--- /dev/null
+++ b/doc/arm/notes-feature-changes.xml
@@ -0,0 +1,95 @@
+
+
+Feature Changes
+
+
+
+ named will now log a warning if
+ a static key is configured for the root zone. [GL #6]
+
+
+
+
+ When static and managed DNSSEC keys were both configured for the
+ same name, or when a static key was used to
+ configure a trust anchor for the root zone and
+ dnssec-validation was set to the default
+ value of auto, automatic RFC 5011 key
+ rollovers would be disabled. This combination of settings was
+ never intended to work, but there was no check for it in the
+ parser. This has been corrected, and it is now a fatal
+ configuration error. [GL #868]
+
+
+
+
+ DS and CDS records are now generated with SHA-256 digests
+ only, instead of both SHA-1 and SHA-256. This affects the
+ default output of dnssec-dsfromkey, the
+ dsset files generated by
+ dnssec-signzone, the DS records added to
+ a zone by dnssec-signzone based on
+ keyset files, the CDS records added to
+ a zone by named and
+ dnssec-signzone based on "sync" timing
+ parameters in key files, and the checks performed by
+ dnssec-checkds.
+
+
+
+
+ JSON-C is now the only supported library for enabling JSON
+ support for BIND statistics. The configure
+ option has been renamed from --with-libjson
+ to --with-json-c. Use
+ PKG_CONFIG_PATH to specify a custom path to
+ the json-c library as the new
+ configure option does not take the library
+ installation path as an optional argument.
+
+
+
+
+ A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+ made default. Old non-default HMAC-SHA based DNS Cookie algorithms
+ have been removed, and only the default AES algorithm is being kept
+ for legacy reasons. This change doesn't have any operational impact
+ in most common scenarios. [GL #605]
+
+
+ If you are running multiple DNS Servers (different versions of BIND 9
+ or DNS server from multiple vendors) responding from the same IP
+ address (anycast or load-balancing scenarios), you'll have to make
+ sure that all the servers are configured with the same DNS Cookie
+ algorithm and same Server Secret for the best performance.
+
+
+
+
+ The information from the dnssec-signzone and
+ dnssec-verify commands is now printed to standard
+ output. The standard error output is only used to print warnings and
+ errors, and in case the user requests the signed zone to be printed to
+ standard output with -f - option. A new
+ configuration option -q has been added to silence
+ all output on standard output except for the name of the signed zone.
+
+
+
+
+ DS records included in DNS referral messages can now be validated
+ and cached immediately, reducing the number of queries needed for
+ a DNSSEC validation. [GL #964]
+
+
+
+
diff --git a/doc/arm/notes-intro.xml b/doc/arm/notes-intro.xml
new file mode 100644
index 0000000000..c54c9539e9
--- /dev/null
+++ b/doc/arm/notes-intro.xml
@@ -0,0 +1,20 @@
+
+
+Introduction
+
+ BIND 9.15 is an unstable development release of BIND.
+ This document summarizes new features and functional changes that
+ have been introduced on this branch. With each development release
+ leading up to the stable BIND 9.16 release, this document will be
+ updated with additional features added and bugs fixed.
+
+
diff --git a/doc/arm/notes-license.xml b/doc/arm/notes-license.xml
new file mode 100644
index 0000000000..361dd70ac5
--- /dev/null
+++ b/doc/arm/notes-license.xml
@@ -0,0 +1,34 @@
+
+
+License
+
+ BIND is open source software licensed under the terms of the Mozilla
+ Public License, version 2.0 (see the LICENSE
+ file for the full text).
+
+
+ The license requires that if you make changes to BIND and distribute
+ them outside your organization, those changes must be published under
+ the same license. It does not require that you publish or disclose
+ anything other than the changes you have made to our software. This
+ requirement does not affect anyone who is using BIND, with or without
+ modifications, without redistributing it, nor anyone redistributing
+ BIND without changes.
+
+
+ Those wishing to discuss license compliance may contact ISC at
+
+ https://www.isc.org/mission/contact/.
+
+
diff --git a/doc/arm/notes-new-features.xml b/doc/arm/notes-new-features.xml
new file mode 100644
index 0000000000..b29813ff42
--- /dev/null
+++ b/doc/arm/notes-new-features.xml
@@ -0,0 +1,107 @@
+
+
+New Features
+
+
+
+ Added a new command line option to dig:
+ +[no]unexpected. By default, dig
+ won't accept a reply from a source other than the one to which
+ it sent the query. Add the +unexpected argument
+ to enable it to process replies from unexpected sources.
+
+
+
+
+ The GeoIP2 API from MaxMind is now supported. Geolocation support
+ will be compiled in by default if the libmaxminddb
+ library is found at compile time, but can be turned off by using
+ configure --disable-geoip.
+
+
+ The default path to the GeoIP2 databases will be set based
+ on the location of the libmaxminddb library;
+ for example, if it is in /usr/local/lib,
+ then the default path will be
+ /usr/local/share/GeoIP.
+ This value can be overridden in named.conf
+ using the geoip-directory option.
+
+
+ Some geoip ACL settings that were available with
+ legacy GeoIP, including searches for netspeed,
+ org, and three-letter ISO country codes, will
+ no longer work when using GeoIP2. Supported GeoIP2 database
+ types are country, city,
+ domain, isp, and
+ as. All of these databases support both IPv4
+ and IPv6 lookups. [GL #182] [GL #1112]
+
+
+
+
+ In order to clarify the configuration of DNSSEC keys,
+ the trusted-keys and
+ managed-keys statements have been
+ deprecated, and the new dnssec-keys
+ statement should now be used for both types of key.
+
+
+ When used with the keyword initial-key,
+ dnssec-keys has the same behavior as
+ managed-keys, i.e., it configures
+ a trust anchor that is to be maintained via RFC 5011.
+
+
+ When used with the new keyword static-key, it
+ has the same behavior as trusted-keys,
+ configuring a permanent trust anchor that will not automatically
+ be updated. (This usage is not recommended for the root key.)
+ [GL #6]
+
+
+
+
+ The new add-soa option specifies whether
+ or not the response-policy zone's SOA record
+ should be included in the additional section of RPZ responses.
+ [GL #865]
+
+
+
+
+ Two new metrics have been added to the
+ statistics-channel to report DNSSEC
+ signing operations. For each key in each zone, the
+ dnssec-sign counter indicates the total
+ number of signatures named has generated
+ using that key since server startup, and the
+ dnssec-refresh counter indicates how
+ many of those signatures were refreshed during zone
+ maintenance, as opposed to having been generated
+ as a result of a zone update. [GL #513]
+
+
+
+
+ Statistics channel groups are now toggleable. [GL #1030]
+
+
+
+
+ dig, mdig and
+ delv can all now take a +yaml
+ option to print output in a a detailed YAML format. [RT #1145]
+
+
+
+
diff --git a/doc/arm/notes-numbering.xml b/doc/arm/notes-numbering.xml
new file mode 100644
index 0000000000..545e07c201
--- /dev/null
+++ b/doc/arm/notes-numbering.xml
@@ -0,0 +1,30 @@
+
+
+Note on Version Numbering
+
+ Until BIND 9.12, new feature development releases were tagged
+ as "alpha" and "beta", leading up to the first stable release
+ for a given development branch, which always ended in ".0".
+ More recently, BIND adopted the "odd-unstable/even-stable"
+ release numbering convention. There will be no "alpha" or "beta"
+ releases in the 9.15 branch, only increasing version numbers.
+ So, for example, what would previously have been called 9.15.0a1,
+ 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+ 9.15.1, 9.15.2, etc.
+
+
+ The first stable release from this development branch will be
+ renamed as 9.16.0. Thereafter, maintenance releases will continue
+ on the 9.16 branch, while unstable feature development proceeds in
+ 9.17.
+
+
diff --git a/doc/arm/notes-platforms.xml b/doc/arm/notes-platforms.xml
new file mode 100644
index 0000000000..94d9cf0ac2
--- /dev/null
+++ b/doc/arm/notes-platforms.xml
@@ -0,0 +1,34 @@
+
+
+Supported Platforms
+
+ To build on UNIX-like systems, BIND requires support for POSIX.1c
+ threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+ IPv6 (RFC 3542), and standard atomic operations provided by the
+ C compiler.
+
+
+ The OpenSSL cryptography library must be available for the target
+ platform. A PKCS#11 provider can be used instead for Public Key
+ cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+ still required for general cryptography operations such as hashing
+ and random number generation.
+
+
+ More information can be found in the PLATFORMS.md
+ file that is included in the source distribution of BIND 9. If your
+ compiler and system libraries provide the above features, BIND 9
+ should compile and run. If that isn't the case, the BIND
+ development team will generally accept patches that add support
+ for systems that are still supported by their respective vendors.
+
+
diff --git a/doc/arm/notes-removed.xml b/doc/arm/notes-removed.xml
new file mode 100644
index 0000000000..800ad64594
--- /dev/null
+++ b/doc/arm/notes-removed.xml
@@ -0,0 +1,39 @@
+
+
+Removed Features
+
+
+
+ The dnssec-enable option has been obsoleted and
+ no longer has any effect. DNSSEC responses are always enabled
+ if signatures and other DNSSEC data are present. [GL #866]
+
+
+
+
+ The cleaning-interval option has been
+ removed. [GL !1731]
+
+
+
+
+ DNSSEC Lookaside Validation (DLV) is now obsolete.
+ The dnssec-lookaside option has been
+ marked as deprecated; when used in named.conf,
+ it will generate a warning but will otherwise be ignored.
+ All code enabling the use of lookaside validation has been removed
+ from the validator, delv, and the DNSSEC tools.
+ [GL #7]
+
+
+
+
diff --git a/doc/arm/notes-sec-fixes.xml b/doc/arm/notes-sec-fixes.xml
new file mode 100644
index 0000000000..b3d0b6c529
--- /dev/null
+++ b/doc/arm/notes-sec-fixes.xml
@@ -0,0 +1,38 @@
+
+
+Security Fixes
+
+
+
+ The TCP client quota set using the tcp-clients
+ option could be exceeded in some cases. This could lead to
+ exhaustion of file descriptors. This flaw is disclosed in
+ CVE-2018-5743. [GL #615]
+
+
+
+
+ In certain configurations, named could crash
+ with an assertion failure if nxdomain-redirect
+ was in use and a redirected query resulted in an NXDOMAIN from the
+ cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+
+
+
+
+ A race condition could trigger an assertion failure when
+ a large number of incoming packets were being rejected.
+ This flaw is disclosed in CVE-2019-6471. [GL #942]
+
+
+
+
diff --git a/doc/arm/notes-thankyou.xml b/doc/arm/notes-thankyou.xml
new file mode 100644
index 0000000000..1c123d62e0
--- /dev/null
+++ b/doc/arm/notes-thankyou.xml
@@ -0,0 +1,19 @@
+
+
+Thank You
+
+ Thank you to everyone who assisted us in making this release possible.
+ If you would like to contribute to ISC to assist us in continuing to
+ make quality open source software, please visit our donations page at
+ http://www.isc.org/donate/.
+
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 5796058a60..becf47bbfa 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -19,446 +19,16 @@
- Introduction
-
- BIND 9.15 is an unstable development release of BIND.
- This document summarizes new features and functional changes that
- have been introduced on this branch. With each development release
- leading up to the stable BIND 9.16 release, this document will be
- updated with additional features added and bugs fixed.
-
-
-
- Note on Version Numbering
-
- Until BIND 9.12, new feature development releases were tagged
- as "alpha" and "beta", leading up to the first stable release
- for a given development branch, which always ended in ".0".
- More recently, BIND adopted the "odd-unstable/even-stable"
- release numbering convention. There will be no "alpha" or "beta"
- releases in the 9.15 branch, only increasing version numbers.
- So, for example, what would previously have been called 9.15.0a1,
- 9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
- 9.15.1, 9.15.2, etc.
-
-
- The first stable release from this development branch will be
- renamed as 9.16.0. Thereafter, maintenance releases will continue
- on the 9.16 branch, while unstable feature development proceeds in
- 9.17.
-
-
-
- Supported Platforms
-
- To build on UNIX-like systems, BIND requires support for POSIX.1c
- threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
- IPv6 (RFC 3542), and standard atomic operations provided by the
- C compiler.
-
-
- The OpenSSL cryptography library must be available for the target
- platform. A PKCS#11 provider can be used instead for Public Key
- cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
- still required for general cryptography operations such as hashing
- and random number generation.
-
-
- More information can be found in the PLATFORMS.md
- file that is included in the source distribution of BIND 9. If your
- compiler and system libraries provide the above features, BIND 9
- should compile and run. If that isn't the case, the BIND
- development team will generally accept patches that add support
- for systems that are still supported by their respective vendors.
-
-
-
- Download
-
- The latest versions of BIND 9 software can always be found at
- http://www.isc.org/downloads/.
- There you will find additional information about each release,
- source code, and pre-compiled versions for Microsoft Windows
- operating systems.
-
-
-
- Security Fixes
-
-
-
- In certain configurations, named could crash
- with an assertion failure if nxdomain-redirect
- was in use and a redirected query resulted in an NXDOMAIN from the
- cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-
-
-
-
- The TCP client quota set using the tcp-clients
- option could be exceeded in some cases. This could lead to
- exhaustion of file descriptors. This flaw is disclosed in
- CVE-2018-5743. [GL #615]
-
-
-
-
- A race condition could trigger an assertion failure when
- a large number of incoming packets were being rejected.
- This flaw is disclosed in CVE-2019-6471. [GL #942]
-
-
-
-
-
- New Features
-
-
-
- Added a new command line option to dig:
- +[no]unexpected. By default, dig
- won't accept a reply from a source other than the one to which
- it sent the query. Add the +unexpected argument
- to enable it to process replies from unexpected sources.
-
-
-
-
- The GeoIP2 API from MaxMind is now supported. Geolocation support
- will be compiled in by default if the libmaxminddb
- library is found at compile time, but can be turned off by using
- configure --disable-geoip.
-
-
- The default path to the GeoIP2 databases will be set based
- on the location of the libmaxminddb library;
- for example, if it is in /usr/local/lib,
- then the default path will be
- /usr/local/share/GeoIP.
- This value can be overridden in named.conf
- using the geoip-directory option.
-
-
- Some geoip ACL settings that were available with
- legacy GeoIP, including searches for netspeed,
- org, and three-letter ISO country codes, will
- no longer work when using GeoIP2. Supported GeoIP2 database
- types are country, city,
- domain, isp, and
- as. All of these databases support both IPv4
- and IPv6 lookups. [GL #182] [GL #1112]
-
-
-
-
- In order to clarify the configuration of DNSSEC keys,
- the trusted-keys and
- managed-keys statements have been
- deprecated, and the new dnssec-keys
- statement should now be used for both types of key.
-
-
- When used with the keyword initial-key,
- dnssec-keys has the same behavior as
- managed-keys, i.e., it configures
- a trust anchor that is to be maintained via RFC 5011.
-
-
- When used with the new keyword static-key, it
- has the same behavior as trusted-keys,
- configuring a permanent trust anchor that will not automatically
- be updated. (This usage is not recommended for the root key.)
- [GL #6]
-
-
-
-
- The new add-soa option specifies whether
- or not the response-policy zone's SOA record
- should be included in the additional section of RPZ responses.
- [GL #865]
-
-
-
-
- Two new metrics have been added to the
- statistics-channel to report DNSSEC
- signing operations. For each key in each zone, the
- dnssec-sign counter indicates the total
- number of signatures named has generated
- using that key since server startup, and the
- dnssec-refresh counter indicates how
- many of those signatures were refreshed during zone
- maintenance, as opposed to having been generated
- as a result of a zone update. [GL #513]
-
-
-
-
- Statistics channel groups are now toggleable. [GL #1030]
-
-
-
-
- dig, mdig and
- delv can all now take a +yaml
- option to print output in a a detailed YAML format. [RT #1145]
-
-
-
-
-
- Removed Features
-
-
-
- The dnssec-enable option has been obsoleted and
- no longer has any effect. DNSSEC responses are always enabled
- if signatures and other DNSSEC data are present. [GL #866]
-
-
-
-
- The cleaning-interval option has been
- removed. [GL !1731]
-
-
-
-
- DNSSEC Lookaside Validation (DLV) is now obsolete.
- The dnssec-lookaside option has been
- marked as deprecated; when used in named.conf,
- it will generate a warning but will otherwise be ignored.
- All code enabling the use of lookaside validation has been removed
- from the validator, delv, and the DNSSEC tools.
- [GL #7]
-
-
-
-
-
- Feature Changes
-
-
-
- named will now log a warning if
- a static key is configured for the root zone. [GL #6]
-
-
-
-
- When static and managed DNSSEC keys were both configured for the
- same name, or when a static key was used to
- configure a trust anchor for the root zone and
- dnssec-validation was set to the default
- value of auto, automatic RFC 5011 key
- rollovers would be disabled. This combination of settings was
- never intended to work, but there was no check for it in the
- parser. This has been corrected, and it is now a fatal
- configuration error. [GL #868]
-
-
-
-
- DS and CDS records are now generated with SHA-256 digests
- only, instead of both SHA-1 and SHA-256. This affects the
- default output of dnssec-dsfromkey, the
- dsset files generated by
- dnssec-signzone, the DS records added to
- a zone by dnssec-signzone based on
- keyset files, the CDS records added to
- a zone by named and
- dnssec-signzone based on "sync" timing
- parameters in key files, and the checks performed by
- dnssec-checkds.
-
-
-
-
- JSON-C is now the only supported library for enabling JSON
- support for BIND statistics. The configure
- option has been renamed from --with-libjson
- to --with-json-c. Use
- PKG_CONFIG_PATH to specify a custom path to
- the json-c library as the new
- configure option does not take the library
- installation path as an optional argument.
-
-
-
-
- A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
- made default. Old non-default HMAC-SHA based DNS Cookie algorithms
- have been removed, and only the default AES algorithm is being kept
- for legacy reasons. This change doesn't have any operational impact
- in most common scenarios. [GL #605]
-
-
- If you are running multiple DNS Servers (different versions of BIND 9
- or DNS server from multiple vendors) responding from the same IP
- address (anycast or load-balancing scenarios), you'll have to make
- sure that all the servers are configured with the same DNS Cookie
- algorithm and same Server Secret for the best performance.
-
-
-
-
- The information from the dnssec-signzone and
- dnssec-verify commands is now printed to standard
- output. The standard error output is only used to print warnings and
- errors, and in case the user requests the signed zone to be printed to
- standard output with -f - option. A new
- configuration option -q has been added to silence
- all output on standard output except for the name of the signed zone.
-
-
-
-
- DS records included in DNS referral messages can now be validated
- and cached immediately, reducing the number of queries needed for
- a DNSSEC validation. [GL #964]
-
-
-
-
-
- Bug Fixes
-
-
-
- The allow-update and
- allow-update-forwarding options were
- inadvertently treated as configuration errors when used at the
- options or view level.
- This has now been corrected.
- [GL #913]
-
-
-
-
- When qname-minimization was set to
- relaxed, some improperly configured domains
- would fail to resolve, but would have succeeded when minimization
- was disabled. named will now fall back to normal
- resolution in such cases, and also uses type A rather than NS for
- minimal queries in order to reduce the likelihood of encountering
- the problem. [GL #1055]
-
-
-
-
- ./configure no longer sets
- --sysconfdir to /etc or
- --localstatedir to /var
- when --prefix is not specified and the
- aforementioned options are not specified explicitly. Instead,
- Autoconf's defaults of $prefix/etc and
- $prefix/var are respected.
-
-
-
-
- Glue address records were not being returned in responses
- to root priming queries; this has been corrected. [GL #1092]
-
-
-
-
- Cache database statistics counters could report invalid values
- when stale answers were enabled, because of a bug in counter
- maintenance when cache data becomes stale. The statistics counters
- have been corrected to report the number of RRsets for each
- RR type that are active, stale but still potentially served,
- or stale and marked for deletion. [GL #602]
-
-
-
-
- Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
- cause unexpected results; this has been fixed. [GL #1106]
-
-
-
-
- named-checkconf now checks DNS64 prefixes
- to ensure bits 64-71 are zero. [GL #1159]
-
-
-
-
- named-checkconf now correctly reports
- a missing dnstap-output option when
- dnstap is set. [GL #1136]
-
-
-
-
- Handle ETIMEDOUT error on connect() with a non-blocking
- socket. [GL #1133]
-
-
-
-
- dig now correctly expands the IPv6 address
- when run with +expandaaaa +short. [GL #1152]
-
-
-
-
- When a response-policy zone expires, ensure
- that its policies are removed from the RPZ summary database.
- [GL #1146]
-
-
-
-
-
- License
-
- BIND is open source software licensed under the terms of the Mozilla
- Public License, version 2.0 (see the LICENSE
- file for the full text).
-
-
- The license requires that if you make changes to BIND and distribute
- them outside your organization, those changes must be published under
- the same license. It does not require that you publish or disclose
- anything other than the changes you have made to our software. This
- requirement does not affect anyone who is using BIND, with or without
- modifications, without redistributing it, nor anyone redistributing
- BIND without changes.
-
-
- Those wishing to discuss license compliance may contact ISC at
-
- https://www.isc.org/mission/contact/.
-
-
-
- End of Life
-
- BIND 9.15 is an unstable development branch. When its development
- is complete, it will be renamed to BIND 9.16, which will be a
- stable branch.
-
-
- The end of life date for BIND 9.16 has not yet been determined.
- For those needing long term support, the current Extended Support
- Version (ESV) is BIND 9.11, which will be supported until at
- least December 2021. See
- https://www.isc.org/downloads/software-support-policy/
- for details of ISC's software support policy.
-
-
-
- Thank You
-
- Thank you to everyone who assisted us in making this release possible.
- If you would like to contribute to ISC to assist us in continuing to
- make quality open source software, please visit our donations page at
- http://www.isc.org/donate/.
-
-
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/util/copyrights b/util/copyrights
index 9516634102..34fc11d7df 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1460,6 +1460,18 @@
./doc/arm/master.zoneopt.xml SGML 2018,2019
./doc/arm/masters.grammar.xml SGML 2018,2019
./doc/arm/mirror.zoneopt.xml SGML 2018,2019
+./doc/arm/notes-bug-fixes.xml SGML 2019
+./doc/arm/notes-download.xml SGML 2019
+./doc/arm/notes-eol.xml SGML 2019
+./doc/arm/notes-feature-changes.xml SGML 2019
+./doc/arm/notes-intro.xml SGML 2019
+./doc/arm/notes-license.xml SGML 2019
+./doc/arm/notes-new-features.xml SGML 2019
+./doc/arm/notes-numbering.xml SGML 2019
+./doc/arm/notes-platforms.xml SGML 2019
+./doc/arm/notes-removed.xml SGML 2019
+./doc/arm/notes-sec-fixes.xml SGML 2019
+./doc/arm/notes-thankyou.xml SGML 2019
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019
./doc/arm/notes.conf X 2015,2018,2019
./doc/arm/notes.html X 2014,2015,2016,2017,2018,2019