ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Restore release notes for BIND 9.17.1

Browse Source
This commit is contained in:
Michał Kępień
2020-05-12 15:20:22 +02:00
parent ff1ac20e0f
commit e7a9fc8a0e
4 changed files with 71 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
doc/arm/notes-9.17.1.xml
View File

@@ -1,101 +0,0 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<section xml:id="relnotes-9.17.1"><info><title>Notes for BIND 9.17.1</title></info>
<section xml:id="relnotes-9.17.1-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-known"><info><title>Known Issues</title></info>
<itemizedlist>
<listitem>
<para>
We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated.
[GL #1685]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-new"><info><title>New Features</title></info>
<itemizedlist>
<listitem>
<para>
A new option, <command>nsdname-wait-recurse</command>, has been added
to the <command>response-policy</command> clause in the configuration
file. When set to <command>no</command>, RPZ NSDNAME rules are only
applied if the authoritative nameservers for the query name have been
looked up and are present in the cache. If this information is not
present, the RPZ NSDNAME rules are ignored, but the information is
looked up in the background and applied to subsequent queries. The
default is <command>yes</command>, meaning that RPZ NSDNAME rules
should always be applied, even if the information needs to be looked
up first. [GL #1138]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-changes"><info><title>Feature Changes</title></info>
<itemizedlist>
<listitem>
<para>
The previous DNSSEC sign statistics used lots of memory. The number of
keys to track is reduced to four per zone, which should be enough for
99% of all signed zones. [GL #1179]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.17.1-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>
<para>
When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, <command>named</command> could become
nonresponsive for a short period while deleted names were removed from
the RPZ summary database. This database cleanup is now done
incrementally over a longer period of time, reducing such delays.
[GL #1447]
</para>
</listitem>
<listitem>
<para>
When trying to migrate an already-signed zone from
<command>auto-dnssec maintain</command> to one based on
<command>dnssec-policy</command>, the existing keys were immediately
deleted and replaced with new ones. As the key rollover timing
constraints were not being followed, it was possible that some clients
would not have been able to validate responses until all old DNSSEC
information had timed out from caches. BIND now looks at the time
metadata of the existing keys and incorporates it into its DNSSEC
policy operation. [GL #1706]
</para>
</listitem>
</itemizedlist>
</section>
</section>

1
doc/arm/notes.rst
View File

@@ -125,6 +125,7 @@ Bug Fixes
inadvertently treated as configuration errors when used at the
``options`` or ``view`` level. This has now been corrected. [GL #913]
.. include:: ../notes/notes-9.17.1.rst
.. include:: ../notes/notes-9.17.0.rst
.. _relnotes_license:

69
doc/notes/notes-9.17.1.rst Normal file
View File

@@ -0,0 +1,69 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.1
---------------------
Security Fixes
~~~~~~~~~~~~~~
- DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
Known Issues
~~~~~~~~~~~~
- We have received reports that in some circumstances, receipt of an
IXFR can cause the processing of queries to slow significantly. Some
of these were related to RPZ processing, which has been fixed in this
release (see below). Others appear to occur where there are
NSEC3-related changes (such as an operator changing the NSEC3 salt
used in the hash calculation). These are being investigated. [GL
#1685]
New Features
~~~~~~~~~~~~
- A new option, ``nsdname-wait-recurse``, has been added to the
``response-policy`` clause in the configuration file. When set to
``no``, RPZ NSDNAME rules are only applied if the authoritative
nameservers for the query name have been looked up and are present in
the cache. If this information is not present, the RPZ NSDNAME rules
are ignored, but the information is looked up in the background and
applied to subsequent queries. The default is ``yes``, meaning that
RPZ NSDNAME rules should always be applied, even if the information
needs to be looked up first. [GL #1138]
Feature Changes
~~~~~~~~~~~~~~~
- The previous DNSSEC sign statistics used lots of memory. The number
of keys to track is reduced to four per zone, which should be enough
for 99% of all signed zones. [GL #1179]
Bug Fixes
~~~~~~~~~
- When an RPZ policy zone was updated via zone transfer and a large
number of records was deleted, ``named`` could become nonresponsive
for a short period while deleted names were removed from the RPZ
summary database. This database cleanup is now done incrementally
over a longer period of time, reducing such delays. [GL #1447]
- When trying to migrate an already-signed zone from ``auto-dnssec
maintain`` to one based on ``dnssec-policy``, the existing keys were
immediately deleted and replaced with new ones. As the key rollover
timing constraints were not being followed, it was possible that some
clients would not have been able to validate responses until all old
DNSSEC information had timed out from caches. BIND now looks at the
time metadata of the existing keys and incorporates it into its
DNSSEC policy operation. [GL #1706]

2
util/copyrights
View File

@@ -1150,7 +1150,6 @@
./doc/arm/logging-categories.rst RST 2020
./doc/arm/managed-keys.rst RST 2020
./doc/arm/manpages.rst RST 2020
./doc/arm/notes-9.17.1.xml SGML 2020
./doc/arm/notes-9.17.2.xml SGML 2020
./doc/arm/notes.rst RST 2020
./doc/arm/pkcs11.rst RST 2020
@@ -1249,6 +1248,7 @@
./doc/misc/static-stub.zoneopt X 2018,2019,2020
./doc/misc/stub.zoneopt X 2018,2019,2020
./doc/notes/notes-9.17.0.rst RST 2020
./doc/notes/notes-9.17.1.rst RST 2020
./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020
./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020