3496. [func] Improvements to RPZ performance. The "response-policy"
syntax now includes a "min-ns-dots" clause, with
default 1, to exclude top-level domains from
NSIP and NSDNAME checking. --enable-rpz-nsip and
--enable-rpz-nsdname are now the default. [RT #32251]
Response policy (rpz) changes to
- add zone statistics
- speed up by adding min-ns-dots to the response-policy syntax
with a default of 1
- detect and reject policy zones with a database other than rbt
only rbtdb has rpz hooks
- allow empty response-policy{} statement
- make --enable-rpz-nsip and --enable-rpz-nsdname the default
Add
- optional "recursive-only yes|no" to the response-policy statement
- optional max-policy-ttl to limit the lies that "recursive-only no"
can introduce into resolvers' caches
- test that queries with RD=0 are not rewritten by default
- performance smoke test
Change encoding of PASSTHRU action to "rpz-passthru".
(The old encoding is still accepted.)
Fix rt26180 assert botch in zone_findrdataset() in this branch
as well.
Fix missing signatures on NOERROR results despite RPZ hits
when there are signatures and the client asks for DNSSEC,
- fix precedence among competing rules
- improve ARM text including documenting rule precedence
- try to rewrite CNAME chains until first hit
- new "rpz" logging channel
- same fix for "NS ." as in RT 24985
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
maintenance. The new "managed-keys" statement can
be used in place of "trusted-keys" for zones which
support this protocol. (Note: this syntax is
expected to change prior to 9.7.0 final.) [RT #19248]
2156. [bug] Fix node reference leaks in lookup.c:lookup_find(),
resolver.c:validated() and resolver.c:cache_name().
Fix a memory leak in rbtdb.c:free_noqname().
Make lookup.c:lookup_find() robust against
event leaks. [RT #16685]
improving loading performance. The masterfile-format
option in named.conf can be used to specify a
non-default format. A separate command
named-compilezone was provided to generate zone files
in the new format. Additionally, the -I and -O options
for dnssec-signzone specify the input and output
formats.
improving loading performance. The masterfile-format
option in named.conf can be used to specify a
non-default format. A new separate command
named-compilezone was provided to generate zone files
in a new format.
an internal cache framework for additional section
content to improve response performance. Several
configuration options were provided to control the
behavior.
the API more consistant between dns_db_{add,subtract}rdataset(),
dns_rdataslab_{merge,subtract}().
Adjust previous CHANGES to reflect above as this is not yet end user visible.
Add missing CHANGES entry for add/merge.
DNS_RDATA_UPDATE flag.
531. [func] Rdata really should be initalized before being
assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(),
dns_rdata_clone(), dns_rdata_fromregion()),
check that it is.
