Tweak and reword release notes
This commit is contained in:
Michał Kępień
@@ -47,12 +47,12 @@ Removed Features
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- The GSSAPI no longer uses the ISC implementation of the SPNEGO
|
||||
mechanism and instead relies on the SPNEGO implementation from the
|
||||
system Kerberos library. All major Kerberos libraries contain the
|
||||
SPNEGO mechanism implementation. This change was implemented in BIND
|
||||
9.17.2, but it was not included in the release notes at the time.
|
||||
[GL #2607]
|
||||
- The ISC implementation of SPNEGO was removed from BIND 9 source code.
|
||||
Instead, BIND 9 now always uses the SPNEGO implementation provided by
|
||||
the system GSSAPI library when it is built with GSSAPI support. All
|
||||
major contemporary Kerberos/GSSAPI libraries contain an implementation
|
||||
of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
|
||||
but it was not included in the release notes at the time. [GL #2607]
|
||||
|
||||
- The default value for the ``stale-answer-client-timeout`` option was
|
||||
changed from ``1800`` (ms) to ``off``. The default value may be
|
||||
@@ -67,38 +67,40 @@ Feature Changes
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
|
||||
``named`` now updates the keys immediately, avoiding unnecessary rollover
|
||||
delays. [#2488]
|
||||
- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
|
||||
``named`` now immediately attempts to reconfigure zone keys. This
|
||||
change prevents unnecessary key rollover delays. [GL #2488]
|
||||
|
||||
- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
|
||||
This has been fixed. [GL #2523]
|
||||
- Zones using KASP could not be thawed after they were frozen using
|
||||
``rndc freeze``. This has been fixed. [GL #2523]
|
||||
|
||||
- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
|
||||
secure to insecure. "named-checkzone" no longer complains if such records
|
||||
exist in an unsigned zone. [GL #2517]
|
||||
- CDS/CDNSKEY DELETE records are now removed when a zone transitions
|
||||
from a secure to an insecure state. ``named-checkzone`` also no longer
|
||||
reports an error when such records are found in an unsigned zone.
|
||||
[GL #2517]
|
||||
|
||||
- Fix a crash when transferring a zone over TLS, after "named" previously
|
||||
skipped a master. [GL #2562]
|
||||
- ``named`` crashed after skipping a primary server while transferring a
|
||||
zone over TLS. This has been fixed. [GL #2562]
|
||||
|
||||
- It was discovered that the TCP idle and initial timeouts were incorrectly
|
||||
applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
|
||||
was applied on the whole connection, even if the connection were still active,
|
||||
which could cause a large zone transfer to be sent back to the client. The
|
||||
default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
|
||||
any TCP connection taking more than 30 seconds was abruptly terminated. This
|
||||
has been fixed. [GL #2573]
|
||||
- TCP idle and initial timeouts were being incorrectly applied: only the
|
||||
``tcp-initial-timeout`` was applied on the whole connection, even if
|
||||
the connection were still active, which could prevent a large zone
|
||||
transfer from being sent back to the client. The default setting for
|
||||
``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
|
||||
connection taking more than 30 seconds was abruptly terminated. This
|
||||
has been fixed. [GL #2583]
|
||||
|
||||
- When ``stale-answer-client-timeout`` was set to a positive value and
|
||||
recursion for a client query completed when ``named`` was about to look for
|
||||
a stale answer, an assertion could fail in ``query_respond()``, resulting in
|
||||
a crash. This has been fixed. [GL #2594]
|
||||
recursion for a client query completed when ``named`` was about to
|
||||
look for a stale answer, an assertion could fail in
|
||||
``query_respond()``, resulting in a crash. This has been fixed.
|
||||
[GL #2594]
|
||||
|
||||
- After upgrading to the previous release, journal files for trust anchor
|
||||
databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt
|
||||
state. (Other zone journal files were not affected.) This has been
|
||||
fixed. If a corrupt journal file is detected, ``named`` can now recover
|
||||
from it. [GL #2600]
|
||||
- After upgrading to the previous release, journal files for trust
|
||||
anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
|
||||
corrupt state. (Other zone journal files were not affected.) This has
|
||||
been fixed. If a corrupt journal file is detected, ``named`` can now
|
||||
recover from it. [GL #2600]
|
||||
|
||||
- When dumping the cache to file, TTLs were being increased with
|
||||
``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical
|
||||
|
||||
Reference in New Issue
Block a user