ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Merge branch 'michal/prepare-documentation-for-bind-9.17.10' into 'v9_17_10-release'

Browse Source 
Prepare documentation for BIND 9.17.10

See merge request isc-private/bind9!237
This commit is contained in:
Michał Kępień
2021-02-04 09:48:53 +00:00
parent 8836a6e2b5 48353879e5
commit 77026a0fc2
8 changed files with 169 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
CHANGES
View File

@@ -36,13 +36,13 @@
on the wrong freed list. [GL #2460]
5578. [protocol] Make "check-names" accept A records below "_spf",
"_spf_rate" and "_spf_verify" labels in order to cater
"_spf_rate", and "_spf_verify" labels in order to cater
for the "exists" SPF mechanism specified in RFC 7208
section 5.7. and appendix D. [GL #2377]
section 5.7 and appendix D.1. [GL #2377]
5577. [bug] Fix the "three is a crowd" key rollover bug in
dnssec-policy by correctly implementing Equation(2) of
the "Flexible and Robust Key Rollover" paper. [GL #2375]
5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
correctly implementing Equation (2) of the "Flexible and
Robust Key Rollover" paper. [GL #2375]
5576. [experimental] Initial server-side implementation of DNS-over-HTTPS
(DoH). Support for both TLS-encrypted and unencrypted
@@ -51,44 +51,46 @@
client-side support for DNS-over-HTTPS; this will be
added to dig in a future release.) [GL #1144]
5575. [bug] When migrating to dnssec-policy, BIND considered keys
with the "Inactive" and/or "Delete" timing metadata as
5575. [bug] When migrating to KASP, BIND 9 considered keys with the
"Inactive" and/or "Delete" timing metadata to be
possible active keys. This has been fixed. [GL #2406]
5574. [func] Incoming zone transfers can now use TLS.
Addresses in a "primaries" list take an optional
"tls" argument, specifying either a previously
configured "tls" block or "ephemeral"; SOA queries
and zone transfer requests will then be sent via
TLS. [GL #2392]
5574. [func] Incoming zone transfers can now use TLS. Addresses in a
"primaries" list take an optional "tls" argument,
specifying either a previously configured "tls" block or
"ephemeral"; SOA queries and zone transfer requests are
then sent via TLS. [GL #2392]
5573. [func] Also return stale data if an error occurred and we are
not resuming. Only start the stale-refresh-time window
if we timed out. [GL #2434]
5573. [func] When serve-stale is enabled and stale data is available,
named now returns stale answers upon encountering any
unexpected error in the query resolution process.
However, the "stale-refresh-time" window is still only
started upon a timeout. [GL #2434]
5572. [bug] Address potential double free in generatexml.
5572. [bug] Address potential double free in generatexml().
[GL #2420]
5571. [bug] If a zone had a non-builtin named allow-update acl
named failed to start. [GL #2413]
5571. [bug] named failed to start when its configuration included a
zone with a non-builtin "allow-update" ACL attached.
[GL #2413]
5570. [bug] Improve the performance of dnssec-verify by reducing
the number of repeated calls to dns_dnssec_keyfromrdata.
[GL #2073]
5570. [bug] Improve performance of the DNSSEC verification code by
reducing the number of repeated calls to
dns_dnssec_keyfromrdata(). [GL #2073]
5569. [bug] Emit useful error message when 'rndc retransfer' is
5569. [bug] Emit useful error message when "rndc retransfer" is
applied to a zone of inappropriate type. [GL #2342]
5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
keys. [GL #2178]
5567. [bug] Dig now reports unknown dash options while pre-parsing
the options. This prevents '-multi' instead of
'+multi' reporting memory usage before ending option
parsing on 'Invalid option: -lti'. [GL #2403]
the options. This prevents "-multi" instead of "+multi"
from reporting memory usage before ending option parsing
with "Invalid option: -lti". [GL #2403]
5566. [func] Add "stale-answer-client-timeout" option, which
is the amount of time a recursive resolver waits before
5566. [func] Add "stale-answer-client-timeout" option, which is the
amount of time a recursive resolver waits before
attempting to answer the query using stale data from
cache. [GL #2247]
@@ -96,26 +98,25 @@
BIND 9 version number, in an effort to tightly couple
internal libraries with a specific release. [GL #2387]
5564. [cleanup] Refactored the network manager TLSDNS module to use
libuv and libssl directly, rather than opening a
TLS/TCP socket stack. [GL #2235]
5564. [cleanup] Network manager's TLSDNS module was refactored to use
libuv and libssl directly instead of a stack of TCP/TLS
sockets. [GL #2335]
5563. [cleanup] Changed several obsolete configuration options to
ancient, making them into fatal errors. Also cleaned
up the number of clause flags in the configuration
parser. [GL #1086]
ancient, making them fatal errors. Also cleaned up the
number of clause flags in the configuration parser.
[GL #1086]
5562. [placeholder]
5561. [bug] KASP incorrectly set signature validity to the value
of the DNSKEY signature validity. This is now fixed.
5561. [bug] KASP incorrectly set signature validity to the value of
the DNSKEY signature validity. This is now fixed.
[GL #2383]
5560. [func] The default value of "max-stale-ttl" has been changed
from 12 hours to 1 day and the default value of
"stale-answer-ttl" has been changed from 1 second to
30 seconds, following RFC 8767 recommendations.
[GL #2248]
"stale-answer-ttl" has been changed from 1 second to 30
seconds, following RFC 8767 recommendations. [GL #2248]
--- 9.17.9 released ---

2
PLATFORMS.md
View File

@@ -13,7 +13,7 @@
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with RFC-compliant
IPv6 support, POSIX-compliant threads, the `libuv` asynchronous I/O library,
and the OpenSSL cryptography library.
the OpenSSL cryptography library, and the `nghttp2` HTTP/2 library.
The following C11 features are used in BIND 9:

14
README.md
View File

@@ -128,13 +128,13 @@ including your patch as an attachment, preferably generated by
At a minimum, BIND requires a Unix or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. BIND also requires the
`libuv` asynchronous I/O library, and a cryptography provider library
such as OpenSSL or a hardware service module supporting PKCS#11. On
Linux, BIND requires the `libcap` library to set process privileges,
though this requirement can be overridden by disabling capability
support at compile time. See [Compile-time options](#opts) below
for details on other libraries that may be required to support
optional features.
`libuv` asynchronous I/O library, the `nghttp2` HTTP/2 library, and a
cryptography provider library such as OpenSSL or a hardware service
module supporting PKCS#11. On Linux, BIND requires the `libcap` library
to set process privileges, though this requirement can be overridden by
disabling capability support at compile time. See [Compile-time
options](#opts) below for details on other libraries that may be
required to support optional features.
Successful builds have been observed on many versions of Linux and
Unix, including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE,

2
doc/arm/notes.rst
View File

@@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.17.10.rst
.. include:: ../notes/notes-9.17.9.rst
.. include:: ../notes/notes-9.17.8.rst
.. include:: ../notes/notes-9.17.7.rst

118
doc/notes/notes-9.17.10.rst Normal file
View File

@@ -0,0 +1,118 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.10
----------------------
New Features
~~~~~~~~~~~~
- Support for DNS-over-HTTPS (DoH) was added to ``named``. Because of
this, the ``nghttp2`` HTTP/2 library is now required for building the
development branch of BIND 9. Both TLS-encrypted and unencrypted
HTTP/2 connections are supported (the latter may be used to offload
encryption to other software).
Note that there is no client-side support for HTTPS as yet; this will
be added to ``dig`` in a future release. [GL #1144]
- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
outgoing zone transfers. Addresses in a ``primaries`` list can now be
accompanied by an optional ``tls`` keyword, followed by either the
name of a previously configured ``tls`` statement or ``ephemeral``.
[GL #2392]
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The
option defines the amount of time ``named`` waits before attempting to
answer the query with a stale RRset from cache. If a stale answer is
found, ``named`` continues the ongoing fetches, attempting to refresh
the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
The default value is ``1800`` (in milliseconds) and the maximum value
is limited to ``resolver-query-timeout`` minus one second. A value of
``0`` causes any available cached RRset to immediately be returned
while still triggering a refresh of the data in cache.
This new behavior can be disabled by setting
``stale-answer-client-timeout`` to ``off`` or ``disabled``. The new
option has no effect if ``stale-answer-enable`` is disabled.
[GL #2247]
Removed Features
~~~~~~~~~~~~~~~~
- A number of non-working configuration options that had been marked as
obsolete in previous releases have now been removed completely. Using
any of the following options is now considered a configuration
failure: ``acache-cleaning-interval``, ``acache-enable``,
``additional-from-auth``, ``additional-from-cache``,
``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
Feature Changes
~~~~~~~~~~~~~~~
- When serve-stale is enabled and stale data is available, ``named`` now
returns stale answers upon encountering any unexpected error in the
query resolution process. This may happen, for example, if the
``fetches-per-server`` or ``fetches-per-zone`` limits are reached. In
this case, ``named`` attempts to answer DNS requests with stale data,
but does not start the ``stale-refresh-time`` window. [GL #2434]
- The default value of ``max-stale-ttl`` has been changed from 12 hours
to 1 day and the default value of ``stale-answer-ttl`` has been
changed from 1 second to 30 seconds, following :rfc:`8767`
recommendations. [GL #2248]
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
- When ``check-names`` is in effect, A records below an ``_spf``,
``_spf_rate``, or ``_spf_verify`` label (which are employed by the
``exists`` SPF mechanism defined in :rfc:`7208` section 5.7/appendix
D.1) are no longer reported as warnings/errors. [GL #2377]
Bug Fixes
~~~~~~~~~
- ``named`` failed to start when its configuration included a zone with
a non-builtin ``allow-update`` ACL attached. [GL #2413]
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA
key. This has been fixed. [GL #2178]
- KASP incorrectly set signature validity to the value of the DNSKEY
signature validity. This has been fixed. [GL #2383]
- When migrating to KASP, BIND 9 considered keys with the ``Inactive``
and/or ``Delete`` timing metadata to be possible active keys. This has
been fixed. [GL #2406]
- Fix the "three is a crowd" key rollover bug in KASP. When keys rolled
faster than the time required to finish the rollover procedure, the
successor relation equation failed because it assumed only two keys
were taking part in a rollover. This could lead to premature removal
of predecessor keys. BIND 9 now implements a recursive successor
relation, as described in the paper "Flexible and Robust Key Rollover"
(Equation (2)). [GL #2375]
- Performance of the DNSSEC verification code (used by
``dnssec-signzone``, ``dnssec-verify``, and mirror zones) has been
improved. [GL #2073]

2
doc/notes/notes-9.17.3.rst
View File

@@ -31,7 +31,7 @@ Feature Changes
programs that interact with the network and process arbitrary user
input. [GL #1933]
- As part of an ongoing effort to use RFC 8499 terminology,
- As part of an ongoing effort to use :rfc:`8499` terminology,
``primaries`` can now be used as a synonym for ``masters`` in
``named.conf``. Similarly, ``notify primary-only`` can now be used as
a synonym for ``notify master-only``. The output of ``rndc

2
doc/notes/notes-9.17.9.rst
View File

@@ -23,7 +23,7 @@ Feature Changes
without making it bogus in the process; changing to ``dnssec-policy
none;`` also causes CDS and CDNSKEY DELETE records to be published, to
signal that the entire DS RRset at the parent must be removed, as
described in RFC 8078. [GL #1750]
described in :rfc:`8078`. [GL #1750]
- When using the ``unixtime`` or ``date`` method to update the SOA
serial number, ``named`` and ``dnssec-signzone`` silently fell back to

128
doc/notes/notes-current.rst
View File

@@ -1,128 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.10
----------------------
Security Fixes
~~~~~~~~~~~~~~
- None.
Known Issues
~~~~~~~~~~~~
- None.
New Features
~~~~~~~~~~~~
- A new option, ``stale-answer-client-timeout``, has been added to
improve ``named``'s behavior with respect to serving stale data. The option
defines the amount of time ``named`` waits before attempting
to answer the query with a stale RRset from cache. If a stale answer
is found, ``named`` continues the ongoing fetches, attempting to
refresh the RRset in cache until the ``resolver-query-timeout`` interval is
reached.
The default value is ``1800`` (in milliseconds) and the maximum value is
bounded to ``resolver-query-timeout`` minus one second. A value of
``0`` immediately returns a cached RRset if available, and still
attempts a refresh of the data in cache.
The option can be disabled by setting the value to ``off`` or
``disabled``. It also has no effect if ``stale-answer-enable`` is
disabled. [GL #2247]
- Also return stale data if an error occurred and we are not resuming a
query (and serve-stale is enabled). This may happen for example if
``fetches-per-server`` or ``fetches-per-zone` limits are reached. In this
case, we will try to answer DNS requests with stale data, but not start
the ``stale-refresh-time`` window. [GL #2434]
- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
outgoing zone transfers. Addresses in a ``primaries`` list can take
an optional ``tls`` option which specifies either a previously configured
``tls`` statement or ``ephemeral``. [GL #2392]
- ``named`` now supports DNS-over-HTTPS (DoH). Both TLS-encrypted and
unencrypted HTTP/2 connections are supported (the latter may be used to
offload encryption to other software).
Note that there is no client-side support for HTTPS as yet; this will be
added to ``dig`` in a future release. [GL #1144]
Removed Features
~~~~~~~~~~~~~~~~
- A number of non-working configuration options that had been marked
as obsolete in previous releases have now been removed completely.
Using any of the following options is now considered a configuration
failure:
``acache-cleaning-interval``, ``acache-enable``, ``additional-from-auth``,
``additional-from-cache``, ``allow-v6-synthesis``, ``cleaning-interval``,
``dnssec-enable``, ``dnssec-lookaside``, ``filter-aaaa``,
``filter-aaaa-on-v4``, ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. [GL #1086]
Feature Changes
~~~~~~~~~~~~~~~
- The SONAMEs for BIND 9 libraries now include the current BIND 9
version number, in an effort to tightly couple internal libraries with
a specific release. This change makes the BIND 9 release process both
simpler and more consistent while also unequivocally preventing BIND 9
binaries from silently loading wrong versions of shared libraries (or
multiple versions of the same shared library) at startup. [GL #2387]
- The default value of ``max-stale-ttl`` has been changed from 12 hours to 1
day, and the default value of ``stale-answer-ttl`` has been changed from 1
second to 30 seconds, following RFC 8767 recommendations. [GL #2248]
- When ``check-names`` is in effect, A records below an ``_spf``, ``_spf_rate``
and ``_spf_verify`` labels (which are employed by the ``exists`` SPF
mechanism defined inr:rfc:`7208` section 5.7/appendix D1) are no longer
reported as warnings/errors. [GL #2377]
Bug Fixes
~~~~~~~~~
- KASP incorrectly set signature validity to the value of the DNSKEY signature
validity. This is now fixed. [GL #2383]
- Previously, ``dnssec-keyfromlabel`` crashed when operating on an ECDSA key.
This has been fixed. [GL #2178]
- The use of named ACLs in ``allow-update`` was broken in BIND 9.17.9 and
BIND 9.16.11, preventing ``named`` from starting. [GL #2413]
- When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
and/or "Delete" timing metadata as possible active keys. This has been fixed.
[GL #2406]
- Fixed the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
rolled faster than the time required to finish the rollover procedure, the
successor relation equation failed because it assumed only two keys were
taking part in a rollover. This could lead to premature removal of
predecessor keys. BIND 9 now implements a recursive successor relation, as
described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
[GL #2375]
- If an invalid key name (e.g. "a..b") was specified in a ``primaries``
list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
which resulted in the returned memory being put on the wrong freed
list. This has been fixed. [GL #2460]
- If an outgoing packet would exceed max-udp-size, it would be dropped instead
of sending a proper response back. Rollback setting the IP_DONTFRAG on the
UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
[GL #2487]