- the default setting for dnssec-validation is now "auto", which
activates DNSSEC validation using the IANA root key. The old behavior
can be restored by explicitly setting "dnssec-validation yes", which
"yes", which activates DNSSEC validation only if keys are explicitly
configured in named.conf.
- the ARM has been updated to describe the new behavior
- added a 1-second floor to max-stale-ttl similar to stale-answer-ttl;
if set to 0, it will be silently updated to 1.
- fixed the ARM entry on max-stale-ttl, which incorrectly suggested that
the default was 0 instead of 1 week.
- clarified rndc serve-stale documentation.
- mark the 'geoip-use-ecs' option obsolete; warn when it is used
in named.conf
- prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
since simply ignoring the tags could make ACLs behave unpredictably
- re-simplify the radix and iptable code
- clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
and dns_geoip_match() so they no longer take ecs options
- remove the ECS-specific unit and system test cases
- remove references to ECS from the ARM
4873. [doc] Grammars for named.conf included in the ARM are now
automatically generated by the configuration parser
itself. As a side effect of the work needed to
separate zone type grammars from each other, this
also makes checking of zone statements in
named-checkconf more correct and consistent.
[RT #36957]
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
