diff --git a/CHANGES b/CHANGES index bf38de9c19..ceb83dcad5 100644 --- a/CHANGES +++ b/CHANGES @@ -24,6 +24,8 @@ the structure. Remove DNS_NAMEATTR_* macros. Fix latent attribute handling bug in RBT. [GL !6902] + --- 9.19.6 released --- + 5992. [func] Introduce the new isc_mem_*x() APIs that takes extra flags as the last argument. Currently ISC_MEM_ZERO and ISC_MEM_ALIGN(n) flags have been implemented that diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index ab28b4955c..fb3289ed59 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -37,6 +37,7 @@ https://www.isc.org/download/. There you will find additional information about each release, and source code. .. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.19.6.rst .. include:: ../notes/notes-9.19.5.rst .. include:: ../notes/notes-9.19.4.rst .. include:: ../notes/notes-9.19.3.rst diff --git a/doc/notes/notes-9.19.6.rst b/doc/notes/notes-9.19.6.rst new file mode 100644 index 0000000000..7a6272217a --- /dev/null +++ b/doc/notes/notes-9.19.6.rst @@ -0,0 +1,98 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.19.6 +--------------------- + +Known Issues +~~~~~~~~~~~~ + +- Upgrading from BIND 9.16.32, 9.18.6, 9.19.4, or any older version may + require a manual configuration change. The following configurations + are affected: + + - :any:`type primary` zones configured with :any:`dnssec-policy` but + without either :any:`allow-update` or :any:`update-policy`, + - :any:`type secondary` zones configured with :any:`dnssec-policy`. + + In these cases please add :namedconf:ref:`inline-signing yes; + ` to the individual zone configuration(s). Without + applying this change, :iscman:`named` will fail to start. For more + details, see + https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing + +New Features +~~~~~~~~~~~~ + +- Support for parsing and validating the ``dohpath`` service parameter + in SVCB records was added. :gl:`#3544` + +- :iscman:`named` now supports forwarding Dynamic DNS updates through + DNS-over-TLS (DoT). :gl:`#3512` + +- The :iscman:`nsupdate` tool now supports DNS-over-TLS (DoT). + :gl:`#1781` + +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + +- A new configuration option :any:`require-cookie` has been introduced. + It specifies whether there should be a DNS COOKIE in the response for + a given prefix; if not, :iscman:`named` falls back to TCP. This is + useful if it is known that a given server supports DNS COOKIE. It can + also be used to force all non-DNS COOKIE responses to fall back to + TCP. :gl:`#2295` + +- Support for libsystemd's ``sd_notify()`` function was added, enabling + :iscman:`named` to report its status to the init system. This allows + systemd to wait until :iscman:`named` is fully ready before starting + other services that depend on name resolution. :gl:`#1176` + +- The ``recursion not available`` and ``query (cache) '...' denied`` log + messages were extended to include the name of the ACL that caused a + given query to be denied. :gl:`#3587` + +Feature Changes +~~~~~~~~~~~~~~~ + +- When an international domain name is not valid according to IDNA2008, + :iscman:`dig` now tries to convert it according to IDNA2003 rules, or + pass it through unchanged, instead of stopping with an error message. + The ``idna2`` utility can be used to check IDNA syntax. :gl:`#3527` + +- The DNSSEC signing data included in zone statistics identified + keys only by the key ID; this caused confusion when two keys using + different algorithms had the same ID. Zone statistics now identify + keys using the algorithm number, followed by "+", followed by the + key ID: for example, ``8+54274``. :gl:`#3525` + +- The ability to use PKCS#11 via engine_pkcs11 has been restored, by + using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be + compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS + environment variable at compile time. :gl:`#3578` + +- Compiling BIND 9 now requires at least libuv version 1.34.0 or higher. + libuv should be available on all supported platforms either as a + native package or as a backport. :gl:`#3567` + +Bug Fixes +~~~~~~~~~ + +- An assertion failure was fixed in :iscman:`named` that was caused by + aborting the statistics channel connection while sending statistics + data to the client. :gl:`#3542` + +- :iscman:`named` could incorrectly return non-truncated, glueless + referrals for responses whose size was close to the UDP packet size + limit. This has been fixed. :gl:`#1967` + +- Changing just the TSIG key names for primaries in catalog zones' + member zones was not effective. This has been fixed. :gl:`#3557`