diff --git a/doc/arm/notes-9.17.1.xml b/doc/arm/notes-9.17.1.xml deleted file mode 100644 index da15f4bd31..0000000000 --- a/doc/arm/notes-9.17.1.xml +++ /dev/null @@ -1,101 +0,0 @@ - - -
Notes for BIND 9.17.1 - -
Security Fixes - - - - DNS rebinding protection was ineffective when BIND 9 is configured as - a forwarding DNS server. Found and responsibly reported by Tobias - Klein. [GL #1574] - - - -
- -
Known Issues - - - - We have received reports that in some circumstances, receipt of an - IXFR can cause the processing of queries to slow significantly. Some - of these were related to RPZ processing, which has been fixed in this - release (see below). Others appear to occur where there are - NSEC3-related changes (such as an operator changing the NSEC3 salt - used in the hash calculation). These are being investigated. - [GL #1685] - - - -
- -
New Features - - - - A new option, nsdname-wait-recurse, has been added - to the response-policy clause in the configuration - file. When set to no, RPZ NSDNAME rules are only - applied if the authoritative nameservers for the query name have been - looked up and are present in the cache. If this information is not - present, the RPZ NSDNAME rules are ignored, but the information is - looked up in the background and applied to subsequent queries. The - default is yes, meaning that RPZ NSDNAME rules - should always be applied, even if the information needs to be looked - up first. [GL #1138] - - - -
- -
Feature Changes - - - - The previous DNSSEC sign statistics used lots of memory. The number of - keys to track is reduced to four per zone, which should be enough for - 99% of all signed zones. [GL #1179] - - - -
- -
Bug Fixes - - - - When an RPZ policy zone was updated via zone transfer and a large - number of records was deleted, named could become - nonresponsive for a short period while deleted names were removed from - the RPZ summary database. This database cleanup is now done - incrementally over a longer period of time, reducing such delays. - [GL #1447] - - - - - When trying to migrate an already-signed zone from - auto-dnssec maintain to one based on - dnssec-policy, the existing keys were immediately - deleted and replaced with new ones. As the key rollover timing - constraints were not being followed, it was possible that some clients - would not have been able to validate responses until all old DNSSEC - information had timed out from caches. BIND now looks at the time - metadata of the existing keys and incorporates it into its DNSSEC - policy operation. [GL #1706] - - - -
- -
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index a8d26508e8..6ca3ab7b7a 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -125,6 +125,7 @@ Bug Fixes inadvertently treated as configuration errors when used at the ``options`` or ``view`` level. This has now been corrected. [GL #913] +.. include:: ../notes/notes-9.17.1.rst .. include:: ../notes/notes-9.17.0.rst .. _relnotes_license: diff --git a/doc/notes/notes-9.17.1.rst b/doc/notes/notes-9.17.1.rst new file mode 100644 index 0000000000..a088e11acc --- /dev/null +++ b/doc/notes/notes-9.17.1.rst @@ -0,0 +1,69 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.17.1 +--------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- DNS rebinding protection was ineffective when BIND 9 is configured as + a forwarding DNS server. Found and responsibly reported by Tobias + Klein. [GL #1574] + +Known Issues +~~~~~~~~~~~~ + +- We have received reports that in some circumstances, receipt of an + IXFR can cause the processing of queries to slow significantly. Some + of these were related to RPZ processing, which has been fixed in this + release (see below). Others appear to occur where there are + NSEC3-related changes (such as an operator changing the NSEC3 salt + used in the hash calculation). These are being investigated. [GL + #1685] + +New Features +~~~~~~~~~~~~ + +- A new option, ``nsdname-wait-recurse``, has been added to the + ``response-policy`` clause in the configuration file. When set to + ``no``, RPZ NSDNAME rules are only applied if the authoritative + nameservers for the query name have been looked up and are present in + the cache. If this information is not present, the RPZ NSDNAME rules + are ignored, but the information is looked up in the background and + applied to subsequent queries. The default is ``yes``, meaning that + RPZ NSDNAME rules should always be applied, even if the information + needs to be looked up first. [GL #1138] + +Feature Changes +~~~~~~~~~~~~~~~ + +- The previous DNSSEC sign statistics used lots of memory. The number + of keys to track is reduced to four per zone, which should be enough + for 99% of all signed zones. [GL #1179] + +Bug Fixes +~~~~~~~~~ + +- When an RPZ policy zone was updated via zone transfer and a large + number of records was deleted, ``named`` could become nonresponsive + for a short period while deleted names were removed from the RPZ + summary database. This database cleanup is now done incrementally + over a longer period of time, reducing such delays. [GL #1447] + +- When trying to migrate an already-signed zone from ``auto-dnssec + maintain`` to one based on ``dnssec-policy``, the existing keys were + immediately deleted and replaced with new ones. As the key rollover + timing constraints were not being followed, it was possible that some + clients would not have been able to validate responses until all old + DNSSEC information had timed out from caches. BIND now looks at the + time metadata of the existing keys and incorporates it into its + DNSSEC policy operation. [GL #1706] + diff --git a/util/copyrights b/util/copyrights index b2dd3819da..6b2e356143 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1150,7 +1150,6 @@ ./doc/arm/logging-categories.rst RST 2020 ./doc/arm/managed-keys.rst RST 2020 ./doc/arm/manpages.rst RST 2020 -./doc/arm/notes-9.17.1.xml SGML 2020 ./doc/arm/notes-9.17.2.xml SGML 2020 ./doc/arm/notes.rst RST 2020 ./doc/arm/pkcs11.rst RST 2020 @@ -1249,6 +1248,7 @@ ./doc/misc/static-stub.zoneopt X 2018,2019,2020 ./doc/misc/stub.zoneopt X 2018,2019,2020 ./doc/notes/notes-9.17.0.rst RST 2020 +./doc/notes/notes-9.17.1.rst RST 2020 ./docutil/HTML_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/MAN_COPYRIGHT X 2001,2004,2016,2018,2019,2020 ./docutil/patch-db2latex-duplicate-template-bug X 2007,2018,2019,2020