Tweak and reword release notes
This commit is contained in:
Michał Kępień
@@ -15,16 +15,18 @@ Notes for BIND 9.18.6
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- DNSSEC ``RSASHA1`` and ``NSEC3RSASHA1`` are automatically disabled
|
||||
on systems (e.g. RHEL9) where they are disallowed by the security
|
||||
policy. Primary zones using those algorithms need to be moved
|
||||
off of them prior to running on these systems as graceful migration
|
||||
to different DNSSEC algorithms is not possible when RSASHA1 is
|
||||
disallowed by the OS. :gl:`#3469`
|
||||
- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
|
||||
disabled on systems where they are disallowed by the security policy
|
||||
(e.g. Red Hat Enterprise Linux 9). Primary zones using those
|
||||
algorithms need to be migrated to new algorithms prior to running on
|
||||
these systems, as graceful migration to different DNSSEC algorithms is
|
||||
not possible when RSASHA1 is disallowed by the operating system.
|
||||
:gl:`#3469`
|
||||
|
||||
- Fetch limit log messages have been improved to provide more complete
|
||||
information. Specifically, the final values of allowed and spilled fetches
|
||||
will now be logged before the counter object gets destroyed. :gl:`#3461`
|
||||
- Log messages related to fetch limiting have been improved to provide
|
||||
more complete information. Specifically, the final counts of allowed
|
||||
and spilled fetches are now logged before the counter object is
|
||||
destroyed. :gl:`#3461`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
@@ -35,18 +37,19 @@ Bug Fixes
|
||||
broken DS response and :iscman:`named` failed its attempts to find a
|
||||
proper one instead. This has been fixed. :gl:`#3439`
|
||||
|
||||
- Non-dynamic zones that inherit dnssec-policy from the view or
|
||||
options level were not marked as inline-signed, and thus were never
|
||||
scheduled to be re-signed. This is now fixed. :gl:`#3438`
|
||||
- Non-dynamic zones that inherit :any:`dnssec-policy` from the
|
||||
:namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
|
||||
marked as inline-signed and therefore never scheduled to be re-signed.
|
||||
This has been fixed. :gl:`#3438`
|
||||
|
||||
- The old ``max-zone-ttl`` zone option was meant to be superseded by
|
||||
the ``max-zone-ttl`` option in ``dnssec-policy``; however, the latter
|
||||
option was not fully effective. This has been corrected: zones will
|
||||
not load if they contain TTLs greater than the limit configured in
|
||||
``dnssec-policy``. In zones with both the old ``max-zone-ttl``
|
||||
option and ``dnssec-policy`` configured, the old option will be
|
||||
ignored, and a warning will be generated. :gl:`#2918`
|
||||
- The old :any:`max-zone-ttl` zone option was meant to be superseded by
|
||||
the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the
|
||||
latter option was not fully effective. This has been corrected: zones
|
||||
no longer load if they contain TTLs greater than the limit configured
|
||||
in :any:`dnssec-policy`. For zones with both the old
|
||||
:any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the
|
||||
old option is ignored, and a warning is generated. :gl:`#2918`
|
||||
|
||||
- Fix `rndc dumpdb -expired` to include expired RRsets, even if the cache
|
||||
cleaning time window has passed. This will now show expired RRsets that are
|
||||
stuck in the cache. :gl:`#3462`
|
||||
- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
|
||||
expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
|
||||
the cache-cleaning time window has passed. :gl:`#3462`
|
||||
|
||||
Reference in New Issue
Block a user