From 0f93a755d12eb0df50689807f829ad41f930a5b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 23 Jul 2024 17:31:46 +0200 Subject: [PATCH 1/2] Update BIND version to 9.21.0-dev --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index bf7405cc1b..5ea7657c34 100644 --- a/configure.ac +++ b/configure.ac @@ -15,8 +15,8 @@ # a shell variable in AC_INIT # m4_define([bind_VERSION_MAJOR], 9)dnl -m4_define([bind_VERSION_MINOR], 19)dnl -m4_define([bind_VERSION_PATCH], 25)dnl +m4_define([bind_VERSION_MINOR], 21)dnl +m4_define([bind_VERSION_PATCH], 0)dnl m4_define([bind_VERSION_EXTRA], -dev)dnl m4_define([bind_DESCRIPTION], [(Development Release)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl From 8b153abd3c3e1fe788a53cb245ff40adaff2afa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 23 Jul 2024 17:31:46 +0200 Subject: [PATCH 2/2] Set up release notes for BIND 9.21.0 --- doc/arm/notes.rst | 23 +- doc/notes/notes-9.20.0.rst | 479 ------------------------------------ doc/notes/notes-current.rst | 15 +- 3 files changed, 18 insertions(+), 499 deletions(-) delete mode 100644 doc/notes/notes-9.20.0.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index b393206c15..a07cb0d976 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -17,9 +17,12 @@ Release Notes Introduction ------------ -BIND 9.20 is a stable branch, suitable for production use. This -document summarizes significant changes since the last production -release on the 9.18 branch. +BIND 9.21 is an unstable development release of BIND. This document +summarizes new features and functional changes that have been introduced +on this branch. With each development release leading up to the stable +BIND 9.22 release, this document will be updated with additional +features added and bugs fixed. Please see the CHANGES file for a more +detailed list of changes and bug fixes. Supported Platforms ------------------- @@ -36,7 +39,6 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst .. include:: ../notes/notes-current.rst -.. include:: ../notes/notes-9.20.0.rst .. _relnotes_license: @@ -52,12 +54,13 @@ https://www.isc.org/contact/. End of Life ----------- -BIND 9.20 is a stable branch, suitable for production use. After it has -been in production use for a while it will be designated as an Extended -Support Version (ESV). Until then, the current ESV is BIND 9.18, which -will be supported until at least December 2025. See -https://kb.isc.org/docs/aa-00896 for details of ISC's software support -policy. +BIND 9.21 is an unstable development branch. When its development is +complete, it will be renamed to BIND 9.22, which will be a stable +branch. The end-of-life date for BIND 9.22 has not yet been determined. +For those needing long-term stability, the current Extended Support +Version (ESV) is BIND 9.18, which will be supported until at least +December 2025. See https://kb.isc.org/docs/aa-00896 for details of +ISC's software support policy. Thank You --------- diff --git a/doc/notes/notes-9.20.0.rst b/doc/notes/notes-9.20.0.rst deleted file mode 100644 index 64bf0748a2..0000000000 --- a/doc/notes/notes-9.20.0.rst +++ /dev/null @@ -1,479 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -Notes for BIND 9.20.0 ---------------------- - -.. note:: This section only lists changes since BIND 9.18.28, the most - recent release on the previous stable branch of BIND at the - time of the publication of BIND 9.20.0. - -New Features -~~~~~~~~~~~~ - -- The :any:`forwarders` statement now supports the :any:`tls` argument, - to be used to forward queries to DoT-enabled servers. :gl:`#3726` - -- :iscman:`named` now supports forwarding Dynamic DNS updates through - DNS-over-TLS (DoT). :gl:`#3512` - -- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). - :gl:`!6752` - -- The :any:`tls` block was extended with a new :any:`cipher-suites` option - that allows permitted cipher suites for TLSv1.3 to be set. Please - consult the documentation for additional details. - :gl:`#3504` - -- Initial support for the PROXYv2 protocol was added. :iscman:`named` - can now accept PROXYv2 headers over all currently implemented DNS - transports and :iscman:`dig` can insert these headers into the queries - it sends. Please consult the related documentation - (:any:`allow-proxy`, :any:`allow-proxy-on`, :any:`listen-on`, and - :any:`listen-on-v6` for :iscman:`named`, :option:`dig +proxy` and - :option:`dig +proxy-plain` for :iscman:`dig`) for additional details. - :gl:`#4388` - -- The client-side support of the EDNS EXPIRE option has been expanded to - include IXFR and AXFR query types. This enhancement enables - :iscman:`named` to perform AXFR and IXFR queries while incorporating - the EDNS EXPIRE option. :gl:`#4170` - -- A new configuration option :any:`require-cookie` has been introduced. - It specifies whether there should be a DNS COOKIE in the response for - a given prefix; if not, :iscman:`named` falls back to TCP. This is - useful if it is known that a given server supports DNS COOKIE. It can - also be used to force all non-DNS COOKIE responses to fall back to - TCP. :gl:`#2295` - -- The :any:`check-svcb` option has been added to control the checking of - additional constraints on SVCB records. This change affects - :iscman:`named`, :iscman:`named-checkconf`, :iscman:`named-checkzone`, - :iscman:`named-compilezone`, and :iscman:`nsupdate`. :gl:`#3576` - -- The new :any:`resolver-use-dns64` option enables :iscman:`named` to - apply :any:`dns64` rules to IPv4 server addresses when sending - recursive queries, so that resolution can be performed over a NAT64 - connection. :gl:`#608` - -- A new option to :any:`dnssec-policy` has been added, :any:`cdnskey`, - that allows users to enable or disable the publication of CDNSKEY - records. :gl:`#4050` - -- When using :any:`dnssec-policy`, it is now possible to configure the - digest type to use when CDS records need to be published with - :any:`cds-digest-types`. Also, publication of specific CDNSKEY/CDS - records can now be set with :option:`dnssec-signzone -G`. :gl:`#3837` - -- Support for multi-signer model 2 (:rfc:`8901`) when using - :any:`inline-signing` was added. :gl:`#2710` - -- HSM support was added to :any:`dnssec-policy`. Keys can now be - configured with a ``key-store`` that allows users to set the directory - where key files are stored and to set a PKCS#11 URI string. The latter - requires OpenSSL 3 and a valid PKCS#11 provider to be configured for - OpenSSL. :gl:`#1129` - -- A new DNSSEC tool :iscman:`dnssec-ksr` has been added to create Key - Signing Request (KSR) and Signed Key Response (SKR) files. :gl:`#1128` - -- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a - ``-J`` option to specify a journal file to read when loading the zone - to be verified or signed. :gl:`#2486` - -- :iscman:`dnssec-keygen` now allows the options :option:`-k - ` and :option:`-f ` to be used - together. This allows the creation of keys for a given - :any:`dnssec-policy` that match only the KSK (``-fK``) or ZSK (``-fZ``) - roles. :gl:`#1128` - -- The :any:`response-policy` statement was extended with a new argument - ``ede``. It enables an :rfc:`8914` Extended DNS Error (EDE) code of choice to - be set for responses which have been modified by a given RPZ. :gl:`#3410` - -- A new way of configuring the preferred source address when talking to - remote servers, such as :any:`primaries` and :any:`parental-agents`, - has been added: setting the ``source`` and/or ``source-v6`` arguments - for a given statement is now possible. This new approach is intended - to eventually replace statements such as :any:`parental-source`, - :any:`parental-source-v6`, :any:`transfer-source`, etc. :gl:`#3762` - -- The new command-line :option:`delv +ns` option activates name server - mode, to more accurately reproduce the behavior of :iscman:`named` - when resolving a query. In this mode, :iscman:`delv` uses an internal - recursive resolver rather than an external server. All messages sent - and received during the resolution and validation process are logged. - This can be used in place of :option:`dig +trace`. :gl:`#3842` - -- The read timeout in :iscman:`rndc` can now be specified on the command - line using the :option:`-t ` option, allowing commands that - take a long time to complete sufficient time to do so. :gl:`#4046` - -- The statistics channel now includes information about incoming zone - transfers that are currently in progress. :gl:`#3883` - -- Information on incoming zone transfers in the statistics channel now - also shows the zones' "first refresh" flag, which indicates that a zone - is not fully ready and that its first ever refresh is pending or is in - progress. The number of such zones is now also exposed by the - :option:`rndc status` command. :gl:`#4241` - -- Added a new statistics variable ``recursive high-water`` that reports - the maximum number of simultaneous recursive clients BIND has handled - while running. :gl:`#4668` - -- A new command, :option:`rndc fetchlimit`, prints a list of name server - addresses that are currently rate-limited due to - :any:`fetches-per-server` and domain names that are rate-limited due - to :any:`fetches-per-zone`. :gl:`#665` - -- Queries and responses now emit distinct dnstap entries for DNS-over-TLS - (DoT) and DNS-over-HTTPS (DoH), and :any:`dnstap-read` understands - these entries. :gl:`#4523` - -- :iscman:`dnstap-read` can now print long timestamps with millisecond - precision. :gl:`#2360` - -- Support for libsystemd's ``sd_notify()`` function was added, enabling - :iscman:`named` to report its status to the init system. This allows - systemd to wait until :iscman:`named` is fully ready before starting - other services that depend on name resolution. :gl:`#1176` - -- Support for User Statically Defined Tracing (USDT) probes has been - added. These probes enable fine-grained application tracing and - introduce no overhead when they are not enabled. :gl:`#4041` - -Removed Features -~~~~~~~~~~~~~~~~ - -- Support for Red Hat Enterprise Linux version 7 (and clones) has been - dropped. A C11-compliant compiler is now required to compile BIND 9. - :gl:`#3729` - -- Compiling with `jemalloc`_ versions older than 4.0.0 is no longer - supported; those versions do not provide the features required by - current BIND 9 releases. :gl:`#4296` - -- The ``auto-dnssec`` configuration statement has been removed. Please - use :any:`dnssec-policy` or manual signing instead. - See article `how to migrate `_ - from ``auto-dnssec`` to :any:`dnssec-policy`. - - The following - statements have become obsolete: :any:`dnskey-sig-validity`, - :any:`dnssec-dnskey-kskonly`, :any:`dnssec-update-mode`, - :any:`sig-validity-interval`, and :any:`update-check-ksk`. - :gl:`#3672` - -- Dynamic updates that add and remove DNSKEY and NSEC3PARAM records no - longer trigger key rollovers and denial-of-existence operations. This - also means that the :any:`dnssec-secure-to-insecure` option has been - obsoleted. :gl:`#3686` - -- The ``glue-cache`` *option* has been removed. The glue cache *feature* - still works and is now permanently *enabled*. :gl:`#2147` - -- Configuring the control channel to use a Unix domain socket has been a - fatal error since BIND 9.18. The feature has now been completely - removed and :iscman:`named-checkconf` now reports it as a - configuration error. :gl:`#4311` - -- The statements setting alternate local addresses for inbound zone - transfers (``alt-transfer-source``, ``alt-transfer-source-v6``, and - ``use-alt-transfer-source``) have been removed. :gl:`#3714` - -- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval`` - statements have been removed. Using them is now a fatal error. - :gl:`#4405` - -- BIND 9 no longer supports non-zero :any:`stale-answer-client-timeout` - values, when the feature is turned on. When using a non-zero value, - :iscman:`named` now generates a warning log message, and treats the - value as ``0``. :gl:`#4447` - -- The Differentiated Services Code Point (DSCP) feature has been - removed: configuring DSCP values in ``named.conf`` is now a - configuration error. :gl:`#3789` - -- The ``keep-response-order`` option has been declared obsolete and the - functionality has been removed. :iscman:`named` expects DNS clients to - be fully compliant with :rfc:`7766`. :gl:`#3140` - -- Zone type ``delegation-only``, and the ``delegation-only`` and - ``root-delegation-only`` statements, have been removed. Using them is - a configuration error. - - These statements were created to address the SiteFinder controversy, - in which certain top-level domains redirected misspelled queries to - other sites instead of returning NXDOMAIN responses. Since top-level - domains are now DNSSEC-signed, and DNSSEC validation is active by - default, the statements are no longer needed. :gl:`#3953` - -- The ``coresize``, ``datasize``, ``files``, and ``stacksize`` options - have been removed. The limits these options set should be enforced - externally, either by manual configuration (e.g. using ``ulimit``) or - via the process supervisor (e.g. ``systemd``). :gl:`#3676` - -- Support for using AES as the DNS COOKIE algorithm (``cookie-algorithm - aes;``) has been removed. The only supported DNS COOKIE algorithm is - now the current default, SipHash-2-4. :gl:`#4421` - -- The TKEY Mode 2 (Diffie-Hellman Exchanged Keying Mode) has been - removed and using TKEY Mode 2 is now a fatal error. Users are advised - to switch to TKEY Mode 3 (GSS-API). :gl:`#3905` - -- Special-case code that was originally added to allow GSS-TSIG to work - around bugs in the Windows 2000 version of Active Directory has now - been removed, since Windows 2000 is long past end-of-life. The - :option:`-o ` option and the ``oldgsstsig`` command to - :iscman:`nsupdate` have been deprecated, and are now treated as - synonyms for :option:`-g ` and ``gsstsig`` respectively. - :gl:`#4012` - -- Support for the ``lock-file`` statement and the ``named -X`` - command-line option has been removed. An external process supervisor - should be used instead. :gl:`#4391` - - Alternatively, the ``flock`` utility (part of util-linux) can be used - on Linux systems to achieve the same effect as ``lock-file`` or - ``named -X``: - - :: - - flock -n -x /named.lock /named - -- The :iscman:`named` command-line option :option:`-U `, which - specified the number of UDP dispatches, has been removed. Using it now - returns a warning. :gl:`#1879` - -- The ``--with-tuning`` option for ``configure`` has been removed. Each - of the compile-time settings that required different values based on - the "workload" (which were previously affected by the value of the - ``--with-tuning`` option) has either been removed or changed to a - sensible default. :gl:`#3664` - -- The functions that were in the ``libbind9`` shared library have been - moved to the ``libisc`` and ``libisccfg`` libraries. The now-empty - ``libbind9`` has been removed and is no longer installed. :gl:`#3903` - -- The ``irs_resconf`` module has been moved to the ``libdns`` shared - library. The now-empty ``libirs`` library has been removed and is no - longer installed. :gl:`#3904` - -.. _`jemalloc`: https://jemalloc.net/ - -Deprecated Features -~~~~~~~~~~~~~~~~~~~ - -Features listed in this section still work but are scheduled for eventual -removal. - -- The use of the :any:`max-zone-ttl` option in :namedconf:ref:`options` - and :namedconf:ref:`zone` blocks has been deprecated; it should now be - configured as part of :any:`dnssec-policy`. A warning is logged if - this option is used in :namedconf:ref:`options` or :any:`zone` blocks. - In a future release, it will become nonoperational. :gl:`#2918` - -- The :any:`sortlist` option has been deprecated and will be removed in a - future BIND 9.21.x release. Users should not rely on a specific order - of resource records in DNS messages. :gl:`#4593` - -- The ``fixed`` value for the :any:`rrset-order` option and the - corresponding ``configure`` script option have been deprecated and will - be removed in a future BIND 9.21.x release. Users should not rely on a - specific order of resource records in DNS messages. :gl:`#4446` - -Feature Changes -~~~~~~~~~~~~~~~ - -- BIND now depends on `liburcu`_, Userspace RCU, for lock-free data - structures. :gl:`#3934` - -- On Linux, `libcap`_ is now a required dependency to help :iscman:`named` - keep needed privileges. :gl:`#3583` - -- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. - libuv should be available on all supported platforms either as a - native package or as a backport. :gl:`#3567` - -- Outgoing zone transfers are no longer enabled by default. An explicit - :any:`allow-transfer` ACL must now be set at the :any:`zone`, - :any:`view`, or :namedconf:ref:`options` level to enable outgoing - transfers. :gl:`#4728` - -- DNS zones signed using :any:`dnssec-policy` now automatically detect - their parent servers, and BIND queries them to check the content of the - DS RRset. This allows DNSSEC key rollovers to safely and automatically - proceed when the parent zone is updated with new DNSSEC keys, i.e. - using the CDS/CDNSKEY mechanism. This behavior is facilitated by the - new :any:`checkds` feature, which automatically populates - :any:`parental-agents` by resolving the parent NS records. These parent - name servers are queried to check the DS RRset during a KSK rollover - initiated by :any:`dnssec-policy`. :gl:`#3901` - -- The responsiveness of :iscman:`named` was improved, when serving as an - authoritative DNS server for a delegation-heavy zone(s) shortly after - loading such zone(s). :gl:`#4045` - -- To improve query-processing latency under load, the uninterrupted time - spent on resolving long chains of cached domain names has been - reduced. :gl:`#4185` - -- QNAME minimization is now used when looking up the addresses of name - servers during the recursive resolution process. :gl:`#4209` - -- BIND now returns BADCOOKIE for out-of-date or otherwise bad but - well-formed DNS server cookies. :gl:`#4194` - -- The DNS name compression algorithm used in BIND 9 has been revised: it - now compresses more thoroughly than before, so responses containing - names with many labels might have a smaller encoding than before. - :gl:`#3661` - -- Processing large incremental transfers (IXFR) has been offloaded to a - separate work thread so that it does not prevent networking threads - from processing regular traffic in the meantime. :gl:`#4367` - -- Querying the statistics channel no longer blocks DNS communication on - the networking event loop level. :gl:`#4680` - -- The :any:`inline-signing` zone option is now ignored if there is no - :any:`dnssec-policy` configured for the zone. This means that unsigned - zones no longer create redundant signed versions of the zone. - :gl:`#4349` - -- The :any:`inline-signing` statement can now also be set inside - :any:`dnssec-policy`. The built-in policies ``default`` and - ``insecure`` enable the use of :any:`inline-signing`. If - :any:`inline-signing` is set at the ``zone`` level, it overrides the - value set in :any:`dnssec-policy`. :gl:`#3677` - -- Following :rfc:`9276` recommendations, :any:`dnssec-policy` now only - allows an NSEC3 iteration count of 0 for the DNSSEC-signed zones using - NSEC3 that the policy manages. :gl:`#4363` - -- The maximum number of NSEC3 iterations allowed for validation purposes - has been lowered from 150 to 50. DNSSEC responses containing NSEC3 - records with iteration counts greater than 50 are now treated as - insecure. :gl:`#4363` - -- The ``dnssec-validation yes`` option now requires an explicitly - configured :any:`trust-anchors` statement. If using manual trust - anchors is not operationally required, then please consider using - ``dnssec-validation auto`` instead. :gl:`#4373` - -- :iscman:`named-compilezone` no longer performs zone integrity checks - by default; this allows faster conversion of a zone file from one - format to another. :gl:`#4364` - - Zone checks can be performed by running :iscman:`named-checkzone` - separately, or the previous default behavior can be restored by using: - - :: - - named-compilezone -i full -k fail -n fail -r warn -m warn -M warn -S warn -T warn -W warn -C check-svcb:fail - -- The red-black tree data structure used in the RBTDB (the default - database implementation for cache and zone databases), has been - replaced with QP-tries. This is expected to improve performance and - scalability, though in the current implementation large zones require - roughly 15% more memory than the old red-black tree data structure. - - A side effect of this change is that zone files that are created with - :any:`masterfile-style` ``relative`` - for example, the output of - :any:`dnssec-signzone` - will no longer have multiple different - `$ORIGIN` statements. There should be no other changes to server - behavior. - - The old RBT-based database still exists for now, and can be used by - specifying ``database rbt`` in a ``zone`` statement in ``named.conf``, - or by compiling with ``configure --with-zonedb=rbt - --with-cachedb=rbt``. :gl:`#4411` :gl:`#4614` - -- Multiple RNDC messages are now processed when sent in a single TCP - message. - - ISC would like to thank Dominik Thalhammer for reporting the issue and - preparing the initial patch. :gl:`#4416` - -- The DNSSEC signing data included in zone statistics identified - keys only by the key ID; this caused confusion when two keys using - different algorithms had the same ID. Zone statistics now identify - keys using the algorithm number, followed by "+", followed by the - key ID: for example, ``8+54274``. :gl:`#3525` - -- The TTL of the NSEC3PARAM record for every NSEC3-signed zone was - previously set to 0. It is now changed to match the SOA MINIMUM value - for the given zone. :gl:`#3570` - -- On startup, :iscman:`named` now sets the limit on the number of open - files to the maximum allowed by the operating system, instead of - trying to set it to "unlimited". :gl:`#3676` - -- When an international domain name is not valid according to IDNA2008, - :iscman:`dig` now tries to convert it according to IDNA2003 rules, or - pass it through unchanged, instead of stopping with an error message. - The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` - -- The memory statistics have been reduced to a single counter, - ``InUse``; ``Malloced`` is an alias that holds the same value. The - other counters were usable with the old BIND 9 internal memory - allocator, but they are unnecessary now that the latter has been - removed. :gl:`#3718` - -- The log message ``resolver priming query complete`` has been moved - from the INFO log level to the DEBUG(1) log level, to prevent - :iscman:`delv` from emitting that message when setting up its internal - resolver. :gl:`#3842` - -- Worker threads' event loops are now managed by a new "loop manager" - API, significantly changing the architecture of the task, timer, and - networking subsystems for improved performance and code flow. - :gl:`#3508` - -- The code for DNS over TCP and DNS over TLS transports has been - replaced with a new, unified transport implementation. :gl:`#3374` - -.. _`liburcu`: https://liburcu.org/ -.. _`libcap`: https://sites.google.com/site/fullycapable/ - -Bug Fixes -~~~~~~~~~ - -- When the same :any:`notify-source` address and port number was - configured for multiple destinations and zones, an unresponsive server - could tie up the relevant network socket until it timed out; in the - meantime, NOTIFY messages for other servers silently failed. - :iscman:`named` will now retry sending such NOTIFY messages over TCP. - Furthermore, NOTIFY failures are now logged at the INFO level. - :gl:`#4001` :gl:`#4002` - -- DNS compression is no longer applied to the root name (``.``) if it is - repeatedly used in the same RRset. :gl:`#3423` - -- :iscman:`named` could incorrectly return non-truncated, glueless - referrals for responses whose size was close to the UDP packet size - limit. This has been fixed. :gl:`#1967` - -Known Issues -~~~~~~~~~~~~ - -- On some platforms, including FreeBSD, :iscman:`named` must be run as - root to use the :iscman:`rndc` control channel on a privileged port - (i.e., with a port number less than 1024; this includes the default - :iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the - :option:`named -u` option to switch to an unprivileged user makes - :iscman:`rndc` unusable. This will be fixed in a future release; in - the meantime, ``mac_portacl`` can be used as a workaround, as - documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793` - -- See :ref:`above ` for a list of all known issues - affecting this BIND 9 branch. diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ee6f2ef748..0e089b68bc 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -9,8 +9,8 @@ .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. -Notes for BIND 9.19.25 ----------------------- +Notes for BIND 9.21.0 +--------------------- Security Fixes ~~~~~~~~~~~~~~ @@ -20,9 +20,7 @@ Security Fixes New Features ~~~~~~~~~~~~ -- Added a new statistics variable ``recursive high-water`` that reports - the maximum number of simultaneous recursive clients BIND has handled - while running. :gl:`#4668` +- None. Removed Features ~~~~~~~~~~~~~~~~ @@ -32,15 +30,12 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- Outgoing zone transfers are no longer enabled by default. An explicit - :any:`allow-transfer` ACL must now be set at the :any:`zone`, :any:`view` or - :namedconf:ref:`options` level to enable outgoing transfers. :gl:`#4728` +- None. Bug Fixes ~~~~~~~~~ -- An RPZ response's SOA record TTL was set to 1 instead of the SOA TTL, if - ``add-soa`` was used. This has been fixed. :gl:`#3323` +- None. Known Issues ~~~~~~~~~~~~