ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Reorder release notes

Browse Source
This commit is contained in:
Michał Kępień
2020-06-10 13:18:50 +02:00
parent 40b3591eea
commit 2e3a70fe8d
1 changed files with 34 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
doc/notes/notes-9.16.4.rst
View File

@@ -24,88 +24,56 @@ Security Fixes
New Features
~~~~~~~~~~~~
- Documentation was converted from DocBook to reStructuredText. The
BIND 9 ARM is now generated using Sphinx and published on `Read the
Docs`_. Release notes are no longer available as a separate document
accompanying a release. [GL #83]
- ``named`` and ``named-checkzone`` now reject master zones that have a
DS RRset at the zone apex. Attempts to add DS records at the zone
apex via UPDATE will be logged but otherwise ignored. DS records
belong in the parent zone, not at the zone apex. [GL #1798]
- ``named`` and ``named-checkzone`` now reject master zones that
have a DS RRset at the zone apex. Attempts to add DS records
at the zone apex via UPDATE will be logged but otherwise ignored.
DS records belong in the parent zone, not at the zone apex. [GL #1798]
- ``dig`` and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
option when it appears in a request or response. [GL #1834]
Feature Changes
~~~~~~~~~~~~~~~
- The default value of ``max-stale-ttl`` has changed from 1 week to 12
hours. This option controls how long ``named`` retains expired RRsets
in cache as a potential mitigation mechanism, should there be a
problem with one or more domains. Note that cache content retention
is independent of whether stale answers are used in response to
client queries (``stale-answer-enable yes|no`` and ``rndc serve-stale
on|off``). Serving of stale answers when the authoritative servers
are not responding must be explicitly enabled, whereas the retention
of expired cache content takes place automatically on all versions of
BIND 9 that have this feature available. [GL #1877]
- The default value of ``max-stale-ttl`` has changed from 1 week to 12 hours.
This option controls how long named retains expired RRsets in cache as a
potential mitigation mechanism, should there be a problem with one or more
domains. Note that cache content retention is independent of whether or not
stale answers will be used in response to client queries
(``stale-answer-enable yes|no`` and ``rndc serve-stale on|off``). Serving of
stale answers when the authoritative servers are not responding must be
explicitly enabled, whereas the retention of expired cache content takes
place automatically on all versions of BIND that have this feature available.
[GL #1877]
.. warning::
This change may be significant for administrators who expect that
stale cache content will be automatically retained for up to 1
week. Add option ``max-stale-ttl 1w;`` to ``named.conf`` to keep
the previous behavior of ``named``.
.. warning:
This change may be significant for administrators who expect that stale
cache content will be automatically retained for up to 1 week. Add
option ``max-stale-ttl 1w;`` to named.conf to keep the previous behavior
of named.
- ``listen-on-v6 { any; }`` creates a separate socket for each
interface. Previously, just one socket was created on systems
conforming to :rfc:`3493` and :rfc:`3542`. This change was introduced
in BIND 9.16.0, but it was accidentally omitted from documentation.
[GL #1782]
- listen-on-v6 { any; } creates separate sockets for all interfaces,
while previously it created one socket on systems conforming to
:rfc:`3493` and :rfc:`3542`, this change was introduced in 9.16.0
but accudently ommited from documentation.
Bug Fixes
~~~~~~~~~
- When fully updating the NSEC3 chain for a large zone via IXFR, a
temporary loss of performance could be experienced on the secondary
server when answering queries for nonexistent data that required
DNSSEC proof of non-existence (in other words, queries that required
the server to find and to return NSEC3 data). The unnecessary
processing step that was causing this delay has now been removed.
[GL #1834]
- ``named`` could crash with an assertion failure if the name of a
database node was looked up while the database was being modified.
[GL #1857]
- A possible deadlock in ``lib/isc/unix/socket.c`` was fixed.
[GL #1859]
- Missing mutex and conditional destruction in netmgr code leads to a memory
leak on BSD systems. [GL #1893].
- Previously, ``named`` did not destroy some mutexes and conditional
variables in netmgr code, which caused a memory leak on FreeBSD. This
has been fixed. [GL #1893]
- Fix a data race in resolver.c:formerr() that could lead to assertion
failure. [GL #1808]
- A data race in ``lib/dns/resolver.c:log_formerr()`` that could lead
to an assertion failure was fixed. [GL #1808]
- Fix a bug in dnssec-policy keymgr where the check if a key has a
successor would return a false positive if any other key in the
keyring has a successor. [GL #1845]
- Previously, ``provide-ixfr no;`` failed to return up-to-date
responses when the serial number was greater than or equal to the
current serial number. [GL #1714]
- A bug in dnssec-policy keymgr was fixed, where the check for the
existence of a given key's successor would incorrectly return
``true`` if any other key in the keyring had a successor. [GL #1845]
- With dnssec-policy, when creating a successor key, the "goal" state
of the current active key (the predecessor) was not changed and thus
never removed from the zone. [GL #1846]
- ``named-checkconf -p`` could include spurious text in
``server-addresses`` statements due to an uninitialized DSCP value.
This has been fixed. [GL #1812]
- The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed.
[GL #1842]
.. _Read the Docs: https://bind9.readthedocs.io/
- With dnssec-policy, when creating a successor key, the goal state of
the current active key (the predecessor) was not changed and thus was
never is removed from the zone. [GL #1846]