From 8aaf84dad757f07d30008cc8062bf562f6b6d796 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 4 Aug 2022 23:37:41 +0200 Subject: [PATCH] Tweak and reword release notes --- doc/notes/notes-9.18.6.rst | 47 ++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/doc/notes/notes-9.18.6.rst b/doc/notes/notes-9.18.6.rst index f80659b768..546dfa7b3c 100644 --- a/doc/notes/notes-9.18.6.rst +++ b/doc/notes/notes-9.18.6.rst @@ -15,16 +15,18 @@ Notes for BIND 9.18.6 Feature Changes ~~~~~~~~~~~~~~~ -- DNSSEC ``RSASHA1`` and ``NSEC3RSASHA1`` are automatically disabled - on systems (e.g. RHEL9) where they are disallowed by the security - policy. Primary zones using those algorithms need to be moved - off of them prior to running on these systems as graceful migration - to different DNSSEC algorithms is not possible when RSASHA1 is - disallowed by the OS. :gl:`#3469` +- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically + disabled on systems where they are disallowed by the security policy + (e.g. Red Hat Enterprise Linux 9). Primary zones using those + algorithms need to be migrated to new algorithms prior to running on + these systems, as graceful migration to different DNSSEC algorithms is + not possible when RSASHA1 is disallowed by the operating system. + :gl:`#3469` -- Fetch limit log messages have been improved to provide more complete - information. Specifically, the final values of allowed and spilled fetches - will now be logged before the counter object gets destroyed. :gl:`#3461` +- Log messages related to fetch limiting have been improved to provide + more complete information. Specifically, the final counts of allowed + and spilled fetches are now logged before the counter object is + destroyed. :gl:`#3461` Bug Fixes ~~~~~~~~~ @@ -35,18 +37,19 @@ Bug Fixes broken DS response and :iscman:`named` failed its attempts to find a proper one instead. This has been fixed. :gl:`#3439` -- Non-dynamic zones that inherit dnssec-policy from the view or - options level were not marked as inline-signed, and thus were never - scheduled to be re-signed. This is now fixed. :gl:`#3438` +- Non-dynamic zones that inherit :any:`dnssec-policy` from the + :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not + marked as inline-signed and therefore never scheduled to be re-signed. + This has been fixed. :gl:`#3438` -- The old ``max-zone-ttl`` zone option was meant to be superseded by - the ``max-zone-ttl`` option in ``dnssec-policy``; however, the latter - option was not fully effective. This has been corrected: zones will - not load if they contain TTLs greater than the limit configured in - ``dnssec-policy``. In zones with both the old ``max-zone-ttl`` - option and ``dnssec-policy`` configured, the old option will be - ignored, and a warning will be generated. :gl:`#2918` +- The old :any:`max-zone-ttl` zone option was meant to be superseded by + the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the + latter option was not fully effective. This has been corrected: zones + no longer load if they contain TTLs greater than the limit configured + in :any:`dnssec-policy`. For zones with both the old + :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the + old option is ignored, and a warning is generated. :gl:`#2918` -- Fix `rndc dumpdb -expired` to include expired RRsets, even if the cache - cleaning time window has passed. This will now show expired RRsets that are - stuck in the cache. :gl:`#3462` +- :option:`rndc dumpdb -expired ` was fixed to include + expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and + the cache-cleaning time window has passed. :gl:`#3462`