digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.
named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)
named.conf: check-dup-records {ignore|warn|fail};
if built with './configure --enable-filter-aaaa'.
Filters out AAAA answers to clients connecting
via IPv4. (This is NOT recommended for general
use.) [RT #20339]
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943]
update are now fully supported and no longer require
defines to enable. We now no longer overload the
NSEC3PARAM flag field, nor the NSEC OPT bit at the
apex. Secure to insecure changes are controlled by
by the named.conf option 'secure-to-insecure'.
Warning: If you had previously enabled support by
adding defines at compile time to BIND 9.6 you should
ensure that all changes that are in progress have
completed prior to upgrading to BIND 9.7. BIND 9.7
is not backwards compatible.
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816]
optional second argument.
I had noticed a few days ago that the ARM grammar for sig-validity-interval
was missing the optional second number. I saw an email again about
this today. This is for part of my RT #19931.
Not adding a CHANGES entry for this (because feature itself was
already documented.)
Evi asked me:
> what is the default value of the zone-statistics
> option? its not listed in the ARM anywhere that i can find.
Not adding a CHANGES entry number for this minor one sentence
addition.
- add ddns-confgen command to generate
configuration text for named.conf
- add zone option "ddns-autoconf yes;", which
causes named to generate a TSIG session key
and allow updates to the zone using that key
- add '-l' (localhost) option to nsupdate, which
causes nsupdate to connect to a locally-running
named process using the session key generated
by named
[RT #19284]
section 6.2.10.3 The query-errors Category on PDF page 44.
For example output added newlines and replaced <computeroutput>
with <programlisting>.
For query-errors table, used hardcoded column widths as used
elsewhere in the ARM.
This is a continuation of CHANGE 2600 [RT #19574].
page widths. [RT #19574]
Split comments to multiple lines or move comments to own lines for
example.
Some fixed width examples are too wide for my printed page, so fixed
Splits many programlisting's to multiple lines.
Some move comments to above and some merge some comments.
Note that this patch covers configuration examples and also the "Grammar".
Also while here fix docbook formatting for a Not Implemented
check-names (but still that is too wide so I need to change). And
also the patch changes a couple tabs to spaces. And changed case of
example comments to be consistent with previous lines.
There shouldn't be any content changes here.
This doesn't complete this PR.
Even this patch, the official ARM PDF has other text that disappears
into the right margin. So still working on this.
